Closed
Bug 884053
Opened 11 years ago
Closed 11 years ago
crash in js::CreateThisForFunctionWithProto @ js::types::TypeSet::hasType
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | verified |
People
(Reporter: scoobidiver, Assigned: bhackett1024)
References
()
Details
(4 keywords)
Crash Data
Attachments
(1 file)
899 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
With the stack trace below, it first showed up in 24.0a1/20130615. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317 Signature js::types::TypeSet::hasType(js::types::Type) More Reports Search UUID 9da3791b-ed06-4052-bee1-235d62130617 Date Processed 2013-06-17 19:57:46 Uptime 15 Last Crash 34 seconds before submission Install Age 15 seconds since version was first installed. Install Time 2013-06-17 19:57:25 Product Firefox Version 24.0a1 Build ID 20130617031112 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x56a1 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0de0, AdapterSubsysID: 00000000, AdapterDriverVersion: 9.18.13.1407 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Processor Notes sp-processor05_phx1_mozilla_com_25008:2012 EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x0de0 Total Virtual Memory 4294836224 Available Virtual Memory 3673063424 System Memory Use Percentage 36 Available Page File 6777159680 Available Physical Memory 2732924928 Frame Module Signature Source 0 mozjs.dll js::types::TypeSet::hasType js/src/jsinferinlines.h:1318 1 mozjs.dll js::CreateThisForFunctionWithProto js/src/jsobj.cpp:1556 2 mozjs.dll js::ion::CreateThisForFunctionWithProtoWrapper js/src/ion/CodeGenerator.cpp:3106 3 mozjs.dll js::CloneFunctionObject js/src/jsfun.cpp:1550 4 mozjs.dll js::Lambda js/src/vm/Interpreter.cpp:3200 5 @0xffffff82 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29
Reporter | ||
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox-esr17:
affected → ---
Reporter | ||
Comment 1•11 years ago
|
||
It's #4 top browser crasher in today's build.
tracking-firefox24:
--- → ?
Keywords: topcrash
Updated•11 years ago
|
Keywords: needURLs,
steps-wanted
Updated•11 years ago
|
Comment 2•11 years ago
|
||
CCing :naveed to see if he can help find an assignee here and see if anything in the regression range could be an obvious bug ?
Comment 3•11 years ago
|
||
Total Count URL 183 https://www.facebook.com/ 74 http://www.facebook.com/ 61 about:blank 28 https://www.facebook.com/?ref=tn_tnmn 23 https://www.facebook.com/login.php?login_attempt=1 15 https://adwords.google.com/o/Targeting/Explorer?__c=1000000000&__u=1000000000&ideaRequestType=KEYWORD_IDEAS 12 http://www.facebook.com/?ref=tn_tnmn 10 http://www.google.co.in/ 8 about:newtab
Keywords: needURLs
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeSet::addType(JSContext*, js::types::Type)]
OS: Windows 7 → All
Reporter | ||
Comment 4•11 years ago
|
||
It accounts for 6% of crashes over the last three builds. Tracy, can you provide URLs only for 24.0a1 because crashes with this signature in previous versions are unrelated?
Flags: needinfo?(twalker)
Keywords: needURLs
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeSet::addType(JSContext*, js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeSet::addType(JSContext*, js::types::Type)]
[@ js::types::TypeScript::SetThis(JSContext*, JSScript*, js::types::Type)]
Comment 5•11 years ago
|
||
The URL's provided previously were what crash-stats gave me for 24. Here's an updated list: Total Count URL 239 https://www.facebook.com/ 92 about:blank 72 http://www.facebook.com/ 36 https://adwords.google.com/o/Targeting/Explorer?__c=1000000000&__u=1000000000&ideaRequestType=KEYWORD_IDEAS 35 https://ssl.gstatic.com/orkut/ads/gen/afci007.html#google_ad_width=300&google_ad_height=250&google_image_size=300x250&google_ad_format=300x250_as_new&google_color_border=ffffff&google_color_bg=ffffff&google_color_text=000000&google_color_link=3767be&googl 35 http://www.orkut.com.br/Main#Home 27 https://www.facebook.com/?ref=tn_tnmn 25 https://www.facebook.com/login.php?login_attempt=1 12 https://www.cmb.fr/banque/assurance/credit-mutuel/web/yc_8462/prive 12 http://www.orkut.co.in/Main#Home 12 http://www.facebook.com/?ref=tn_tnmn 11 https://www.google.com/adsense/app#home 9 https://www.google.com/adsense/app
Flags: needinfo?(twalker)
Reporter | ||
Updated•11 years ago
|
Comment 6•11 years ago
|
||
STR Open URL Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911 Pushlog http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4 Regressed by : Bug 678037
Reporter | ||
Updated•11 years ago
|
Blocks: LazyBytecode
Keywords: regressionwindow-wanted
Assignee | ||
Comment 7•11 years ago
|
||
I think this will fix these crashes, there is an incorrect use of nonLazyScript() on that stack.
Assignee: general → bhackett1024
Attachment #766760 -
Flags: review?(luke)
Updated•11 years ago
|
Attachment #766760 -
Flags: review?(luke) → review+
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d153e27afde3
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d153e27afde3
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Reporter | ||
Comment 10•11 years ago
|
||
It was #4 top browser crasher in 24.0a1. An uplift to Aurora would be fine before 24.0a2 is released.
Reporter | ||
Comment 11•11 years ago
|
||
For some reasons, there are no crashes with this signature after 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The working range is: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69 Is it indirectly fixed by bug 886660?
Whiteboard: [workingwindow-wanted]
Comment 12•11 years ago
|
||
(In reply to Scoobidiver from comment #11) > For some reasons, there are no crashes with this signature after > 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The > working range is: > http://hg.mozilla.org/releases/mozilla-aurora/ > pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69 > Is it indirectly fixed by bug 886660? Fixed window (aurora) Bad: http://hg.mozilla.org/releases/mozilla-aurora/rev/67b0221cbd69 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626140739 Good: http://hg.mozilla.org/releases/mozilla-aurora/rev/d5940f917a9a Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626180956 Fixed pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=67b0221cbd69&tochange=d5940f917a9a I guess; Fixed by: dbba940275aa Kannan Vijayan — Bug 883973 - Disable heavyweight function inlining. r=dvander, a=bajaj
Reporter | ||
Comment 13•11 years ago
|
||
Do you still want to uplift the null check based on comment 12?
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 14•11 years ago
|
||
(In reply to Scoobidiver from comment #13) > Do you still want to uplift the null check based on comment 12? I think if the signature is no longer crashing then the uplift shouldn't be needed.
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 15•11 years ago
|
||
Marking as fixed in 24.0 per comment 12.
Comment 16•11 years ago
|
||
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Unable to crash Firefox 24 beta 8 (buildID: 20130902131354) and latest Nightly (buildID: 20130903030201). Still a few crashes in Socorro in Firefox 24 beta 7, but less and less with each beta. I think there is safe to call this verified fixed. https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-09-03&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29&version=Firefox%3A24.0b7
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•