Closed
Bug 875757
Opened 12 years ago
Closed 12 years ago
crash in js::ion::DoTypeUpdateFallback
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | verified |
People
(Reporter: scoobidiver, Assigned: bhackett1024)
References
()
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
There are about 20 crashes per hour.
It first showed up in 24.0a1/20130524. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=00b264c7cced&tochange=df526497d949
It might be a regression from bug 874687.
The stack traces are various:
Frame Module Signature Source
0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493
1 libxul.so EnterBaseline js/src/ion/BaselineJIT.cpp:154
Frame Module Signature Source
0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493
1 dalvik-heap (deleted) dalvik-heap @0x7d7fe
Frame Module Signature Source
0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493
1 libcrypto.so ERR_load_X509V3_strings
2 libcrypto.so ERR_load_X509V3_strings
3 libcrypto.so ERR_load_X509V3_strings
4 dalvik-heap (deleted) dalvik-heap @0x30efe
Frame Module Signature Source
0 libxul.so js::ion::DoTypeUpdateFallback js/src/vm/String.h:493
1 libskia.so libskia.so@0x2ffe
2 libskia.so libskia.so@0x2ffe
3 libskia.so libskia.so@0x2ffe
4 dalvik-bitmap-2 (deleted) dalvik-bitmap-2 @0x3511e
and so on
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3ADoTypeUpdateFallback
Reporter | ||
Comment 1•12 years ago
|
||
More reports also at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AAddTypePropertyId%28JSContext*%2C+JSObject*%2C+long%2C+JS%3A%3AValue+const%26%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId%28int%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId%28long%29
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3AIdToTypeId
Crash Signature: [@ js::ion::DoTypeUpdateFallback] → [@ js::ion::DoTypeUpdateFallback]
[@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ]
[@ js::types::IdToTypeId(int) ]
[@ js::types::IdToTypeId(long) ]
[@ js::types::IdToTypeId ]
OS: Android → All
Hardware: ARM → All
Whiteboard: [native-crash]
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ js::ion::DoTypeUpdateFallback]
[@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ]
[@ js::types::IdToTypeId(int) ]
[@ js::types::IdToTypeId(long) ]
[@ js::types::IdToTypeId ] → [@ js::ion::DoTypeUpdateFallback]
[@ js::types::AddTypePropertyId(JSContext*, JSObject*, long, JS::Value const&) ]
[@ js::types::IdToTypeId(int) ]
[@ js::types::IdToTypeId(long) ]
[@ js::types::IdToTypeId ]
[@ JSScript::getName(unsigned char*) ]
Comment 2•12 years ago
|
||
I have not had a crash since setting javascript.options.baselinejit.content;false. The page where I had the most crashes is this one http://www.crash.net/f1/news/191532/1/williams_to_mercedes_caterham_eyeing_renault_exit.html , but even this does not crash every time. It seems related to the code to launch ePlayer. Disabling the flash plug-in did not avoid the crash, in fact if anything it made it more likely to crash.
I've crashed here twice in less that fifteen minutes this morning...
bp-9eeac86d-50b1-44b8-af24-8faed2130524
bp-906e51d7-69e9-4d61-afe3-265b82130524
Reporter | ||
Comment 4•12 years ago
|
||
Loading the ref. URL crashes Firefox: bp-ddcd73de-0ad8-4232-8285-f85b02130524.
Keywords: reproducible
![]() |
||
Comment 5•12 years ago
|
||
bp-eb13af91-815f-4e3a-86c2-b5ec02130524
Crashed
http://hg.mozilla.org/mozilla-central/rev/97aa3da59001
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130524 Firefox/24.0 ID:20130524050555
STR
1. Open http://sports.yahoo.com/
2. Click YAHOO! SPORTS Logo at the top-right
Comment 6•12 years ago
|
||
Can someone verify if this happens with SPS profiler turned off? I can't take an immediate look at this but the answer will help determine whether bug 874687's fix is responsible for this.
![]() |
||
Comment 7•12 years ago
|
||
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/22bb671d4982
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523115653
Crash:
http://hg.mozilla.org/mozilla-central/rev/53bfd38cbc8c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523210626
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bb671d4982&tochange=53bfd38cbc8c
Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/96b964d758c8
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523044733
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/b9beff192aa2
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130523 Firefox/24.0 ID:20130523050033
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=96b964d758c8&tochange=b9beff192aa2
Triggered by:
b9beff192aa2 Brian Hackett — Bug 864218 - Improve performance when accessing variables defined in run-once closures, r=luke,jandem.
![]() |
||
Comment 8•12 years ago
|
||
> Triggered by:
> b9beff192aa2 Brian Hackett — Bug 864218 - Improve performance when accessing
> variables defined in run-once closures, r=luke,jandem.
Setting needinfo for Brian.
Flags: needinfo?(bhackett1024)
Updated•12 years ago
|
![]() |
||
Comment 9•12 years ago
|
||
I got a r=luke in-person to back bug 864218 out so the backout can make tomorrow's nightly, bhackett wasn't online on IRC.
Flags: needinfo?(bhackett1024)
![]() |
||
Comment 10•12 years ago
|
||
Bug 864218 has been backed out in:
https://hg.mozilla.org/mozilla-central/rev/7a2f7a45819a
Comment 12•12 years ago
|
||
I see this crash 100% of the time a few seconds after loading
http://www.csmonitor.com/Science/2013/0524/Why-did-our-ancestors-start-walking-upright-Ancient-terrain-may-hold-clue
Comment 13•12 years ago
|
||
Couple of Fennec Nigtly crashes FWIW:
Report ID Date Submitted
bp-2a0432b5-c2d6-44e9-8011-f791a2130525 05/25/13 03:31
bp-c672e9f9-2d2f-4990-827a-ae54c2130525 05/25/13 03:30
Comment 14•12 years ago
|
||
Clicking on any tv review link on the AV Club website seems to trigger this.
http://www.avclub.com/
Reporter | ||
Comment 15•12 years ago
|
||
Closing per comment 10.
Status: NEW → RESOLVED
tracking-fennec: ? → ---
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Comment 17•12 years ago
|
||
This crash is still #1 (and #3, #6) for 24.0a1 - the backout does not appear to have moved the needle.
Status: RESOLVED → REOPENED
Flags: needinfo?(nihsanullah)
Resolution: FIXED → ---
Comment 18•12 years ago
|
||
I'm sorry, I misinterpreted the results - there have been no more crashes with build ids since 5/24 builds, so this only remains since the volume was so high.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Flags: needinfo?(nihsanullah)
Resolution: --- → FIXED
Comment 19•12 years ago
|
||
Assigning to bhackett because it appears patch on Bug 864218 was the culprit and tracking bugs need owners.
Assignee: general → bhackett1024
Comment 20•12 years ago
|
||
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:26.0) Gecko/20100101 Firefox/26.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0
Couldn't reproduce this issue with STR from comment 2, comment 4, comment 5, comment 14 and comment 12 on Nightly (2013-05-23).
Verified as fixed on Firefox 24 beta 4 (Build ID: 20130605070403) and latest Nightly (Build ID: 20130820030206): no crash when loading or navigating on the above URLs.
In Socorro there are some crashes with this signatures for the latest builds:
- http://goo.gl/kBlaeQ
- http://goo.gl/xomhHt
- http://goo.gl/PeZb5Y
- http://goo.gl/uxyWhI
Any thoughts?
Updated•12 years ago
|
Flags: needinfo?
Comment 21•12 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Verified as fixed with FF 24 beta 8 (Build ID: 20130902131354).
Reports from Socorro:
- 1st signature: 0 crashes with beta 7
- 2nd signature: 0 crashes with beta 7
- 3rd signature: 3 crashes with beta 7: http://goo.gl/VehHc0
- 4th signature: 0 crashes with beta 7
- 5th signature: 0 crashes with beta 7
- 6th signature: 3 crashes with beta 7: http://goo.gl/wC9VxB
Marking as verified per this results and comment 20.
You need to log in
before you can comment on or make changes to this bug.
Description
•