Closed Bug 876272 Opened 7 years ago Closed 2 years ago

crash in JSAtom* js::AtomizeChars

Categories

(Core :: JavaScript Engine, defect, critical)

21 Branch
ARM
Android
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1373934
Tracking Status
firefox21 --- affected
firefox22 --- affected
firefox23 --- affected

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, Whiteboard: [native-crash][startupcrash])

Crash Data

It's #40 crasher in 21.0, #193 in 22.0b2, and #107 in 23.0a2.

Signature 	JSAtom* js::AtomizeChars<(js::AllowGC)1>(JSContext*, unsigned short const*, unsigned int, js::InternBehavior) More Reports Search
UUID	6e8541dc-7759-4925-acff-7cec62130526
Date Processed	2013-05-26 11:43:05
Uptime	10
Last Crash	1.8 weeks before submission
Install Age	1.8 hours since version was first installed.
Install Time	2013-05-26 09:51:55
Product	FennecAndroid
Version	22.0
Build ID	20130521221559
Release Channel	beta
OS	Android
OS Version	0.0.0 Linux 2.6.39.4 #2 SMP PREEMPT Wed Feb 20 20:41:34 JST 2013 armv7l DOCOMO/F10D/F10D:4.0.3/V21R48A/F10D.20130220.203539:user/release-keys
Build Architecture	arm
Build Architecture Info	ARMv0
Crash Reason	SIGBUS
Crash Address	0x5e3bcec1
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra 3 -- OpenGL ES 2.0 14.01002 -- Model: F-10D, Product: F10D, Manufacturer: FUJITSU, Hardware: f12arc'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
FUJITSU F-10D
DOCOMO/F10D/F10D:4.0.3/V21R48A/F10D.20130220.203539:user/release-keys
Processor Notes 	sp-processor06_phx1_mozilla_com_16597:2012; exploitability tool: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra 3
Device	FUJITSU F-10D
Android API Version	15 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	libxul.so 	JSAtom* js::AtomizeChars< 	js/src/jsatom.h:70
1 	libmozglue.so 	arena_malloc 	memory/mozjemalloc/jemalloc.c:4167
2 	libxul.so 	bool js::XDRAtom< 	js/src/jsatom.cpp:490
3 	libxul.so 	bool js::XDRScript< 	js/src/jsscript.cpp:636
4 	libmozglue.so 	arena_malloc 	memory/mozjemalloc/jemalloc.c:4167

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSAtom*+js%3A%3AAtomizeChars%3C%28js%3A%3AAllowGC%291%3E%28JSContext*%2C+unsigned+short+const*%2C+unsigned+int%2C+js%3A%3AInternBehavior%29
It's #46 crasher in 22.0 and #142 in 23.0b8.
I'm seeing something very similar at https://tbpl.mozilla.org/php/getParsedLog.php?id=43762075&tree=Mozilla-Inbound&full=1#error1 generated by a nearly do-nothing patch at https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=9198564a941c

https://crash-stats.mozilla.com/query/?query_type=simple&query=AtomizeChars shows a smattering of crashes across platforms.

The following builds did not show the problem. But the problem *did* occur on both OSX opt builds for that push.

As with this bug, it's an AtomizeChars crash inside of XDRScript<1>().
Assignee: general → nobody
Crash Signature: [@ JSAtom* js::AtomizeChars<(js::AllowGC)1>(JSContext*, unsigned short const*, unsigned int, js::InternBehavior)] [@ js::AtomizeChars ] → [@ JSAtom* js::AtomizeChars<(js::AllowGC)1>(JSContext*, unsigned short const*, unsigned int, js::InternBehavior)] [@ js::AtomizeChars ] [@ JSAtom* js::AtomizeChars<T>]
Closing the crashes that remain are being tracked in Bug 1373934. Whatever useful logs/crashes this bug had are now lost to the mist.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1373934
You need to log in before you can comment on or make changes to this bug.