Closed Bug 883562 Opened 6 years ago Closed 6 years ago

Crash [@ js::ObjectImpl::getSlot(unsigned int) ]

Categories

(Core :: JavaScript Engine, defect, critical)

24 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 + verified

People

(Reporter: gps, Assigned: bhackett)

References

()

Details

(4 keywords)

Crash Data

Attachments

(1 file)

I am able to reproduce crashes on 2013-06-15 Nightly on Windows 7 by doing the following:

1) Load http://bl.ocks.org/mbostock/1667367
2) Place mouse in the lower chart, click and hold, and start moving left and right.
3) Crash occurs within a few mouse movements.

Crashes:

https://crash-stats.mozilla.com/report/index/bp-ec89df91-632c-4365-931d-105152130615
https://crash-stats.mozilla.com/report/index/bp-f886c393-6e5f-4763-9c11-bfc472130615
https://crash-stats.mozilla.com/report/index/bp-7fa7b653-96e0-4d32-ad9a-369be2130615
https://crash-stats.mozilla.com/report/index/bp-eec74f19-8e66-4302-8c1e-ae03c2130615

Unfortunately, I cannot reproduce in safe mode. I have a number of add-ons installed.

I can load up Visual Studio and try to debug things if that will be helpful. Just needinfo me.
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)]
Keywords: crash
I can reproduce.

The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317

Stack trace:
Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::ObjectImpl::getSlot 	js/src/vm/ObjectImpl.h:1400
1 	mozjs.dll 	InitFromBailout 	js/src/ion/BaselineBailouts.cpp:478
2 	mozjs.dll 	js::ion::BailoutIonToBaseline 	js/src/ion/BaselineBailouts.cpp:1086
3 	mozjs.dll 	js::ion::Bailout 	js/src/ion/Bailouts.cpp:81
4 		@0x2bb6f8 	
5 		@0x4 	
6 	mozjs.dll 	js::ToNumberSlow 	js/src/jsnum.cpp:1463

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AObjectImpl%3A%3AgetSlot%28unsigned+int%29
Severity: normal → critical
Hardware: x86_64 → x86
Version: unspecified → 24 Branch
Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911
Pushlog
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4

Suspected: Bug 678037
Blocks: LazyBytecode
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] → [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const]
OS: Windows 7 → All
Hardware: x86 → All
Attached patch patchSplinter Review
I think this will fix these crashes (haven't confirmed).  Bailing out from baseline would assume that functions read from the stack have a non lazy script, which might not be the case for the callees of inlined Ion frames (see bug 883630).
Assignee: general → bhackett1024
Attachment #763259 - Flags: review?(jdemooij)
Pushing ahead of review to see if the crashes get fixed.

https://hg.mozilla.org/integration/mozilla-inbound/rev/14fc609da59a
Duplicate of this bug: 883633
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const] → [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const ]
https://hg.mozilla.org/mozilla-central/rev/14fc609da59a
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Attachment #763259 - Flags: review?(jdemooij) → review+
Duplicate of this bug: 883677
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const ] → [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const ] [@ js::ion::SnapshotIterator::slotValue(js::ion::SnapshotReader::Slot const&) ]
Verified as fixed with Firefox 24 beta 8 (build ID: 20130902131354), on Mac OSX 10.7.5, Ubuntu 12.10 32bit and Win 8 32bit. No more crashing with the URLs from comment 0, comment 3 and comment 4.

Reports from Socorro, regarding last month:

1) for the first signature, there are 9 crashes with 24.0b7

https://crash-stats.mozilla.com/report/list?signature=js%3A%3AObjectImpl%3A%3AgetSlot%28unsigned+int%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-09-03+08%3A00%3A00&range_value=4

2) for the second signature, there aren't any crashes regarding last month

3) for the third signature, there are 2 crashes with 24.0b5

https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3ASnapshotIterator%3A%3AslotValue%28js%3A%3Aion%3A%3ASnapshotReader%3A%3ASlot+const%26%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-09-03+08%3A00%3A00&range_value=4
QA Contact: manuela.muntean
You need to log in before you can comment on or make changes to this bug.