Closed Bug 884053 Opened 11 years ago Closed 11 years ago

crash in js::CreateThisForFunctionWithProto @ js::types::TypeSet::hasType

Categories

(Core :: JavaScript Engine, defect)

24 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla25
Tracking Status
firefox23 --- unaffected
firefox24 + verified

People

(Reporter: scoobidiver, Assigned: bhackett1024)

References

()

Details

(4 keywords)

Crash Data

Attachments

(1 file)

With the stack trace below, it first showed up in 24.0a1/20130615. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317

Signature 	js::types::TypeSet::hasType(js::types::Type) More Reports Search
UUID	9da3791b-ed06-4052-bee1-235d62130617
Date Processed	2013-06-17 19:57:46
Uptime	15
Last Crash	34 seconds before submission
Install Age	15 seconds since version was first installed.
Install Time	2013-06-17 19:57:25
Product	Firefox
Version	24.0a1
Build ID	20130617031112
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x56a1
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0de0, AdapterSubsysID: 00000000, AdapterDriverVersion: 9.18.13.1407
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor05_phx1_mozilla_com_25008:2012
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x0de0
Total Virtual Memory	4294836224
Available Virtual Memory	3673063424
System Memory Use Percentage	36
Available Page File	6777159680
Available Physical Memory	2732924928

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::types::TypeSet::hasType 	js/src/jsinferinlines.h:1318
1 	mozjs.dll 	js::CreateThisForFunctionWithProto 	js/src/jsobj.cpp:1556
2 	mozjs.dll 	js::ion::CreateThisForFunctionWithProtoWrapper 	js/src/ion/CodeGenerator.cpp:3106
3 	mozjs.dll 	js::CloneFunctionObject 	js/src/jsfun.cpp:1550
4 	mozjs.dll 	js::Lambda 	js/src/vm/Interpreter.cpp:3200
5 		@0xffffff82 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29
It's #4 top browser crasher in today's build.
Keywords: topcrash
CCing :naveed to see if he can help find an assignee here and see if anything in the regression range could be an obvious bug ?
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::addType(JSContext*, js::types::Type)]
OS: Windows 7 → All
It accounts for 6% of crashes over the last three builds.

Tracy, can you provide URLs only for 24.0a1 because crashes with this signature in previous versions are unrelated?
Flags: needinfo?(twalker)
Keywords: needURLs
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::addType(JSContext*, js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::addType(JSContext*, js::types::Type)] [@ js::types::TypeScript::SetThis(JSContext*, JSScript*, js::types::Type)]
Keywords: needURLs
STR
Open URL

Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911
Pushlog
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4

Regressed by : Bug 678037
Attached patch patchSplinter Review
I think this will fix these crashes, there is an incorrect use of nonLazyScript() on that stack.
Assignee: general → bhackett1024
Attachment #766760 - Flags: review?(luke)
Attachment #766760 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/d153e27afde3
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
It was #4 top browser crasher in 24.0a1. An uplift to Aurora would be fine before 24.0a2 is released.
For some reasons, there are no crashes with this signature after 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The working range is:
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69
Is it indirectly fixed by bug 886660?
Whiteboard: [workingwindow-wanted]
(In reply to Scoobidiver from comment #11)
> For some reasons, there are no crashes with this signature after
> 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The
> working range is:
> http://hg.mozilla.org/releases/mozilla-aurora/
> pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69
> Is it indirectly fixed by bug 886660?

Fixed window (aurora)
Bad:
http://hg.mozilla.org/releases/mozilla-aurora/rev/67b0221cbd69
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626140739
Good:
http://hg.mozilla.org/releases/mozilla-aurora/rev/d5940f917a9a
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626180956
Fixed pushlog:
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=67b0221cbd69&tochange=d5940f917a9a

I guess;
Fixed by: 	dbba940275aa	Kannan Vijayan — Bug 883973 - Disable heavyweight function inlining. r=dvander, a=bajaj
Depends on: 883973
Whiteboard: [workingwindow-wanted]
Do you still want to uplift the null check based on comment 12?
Flags: needinfo?(bhackett1024)
(In reply to Scoobidiver from comment #13)
> Do you still want to uplift the null check based on comment 12?

I think if the signature is no longer crashing then the uplift shouldn't be needed.
Flags: needinfo?(bhackett1024)
Marking as fixed in 24.0 per comment 12.
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0

Unable to crash Firefox 24 beta 8 (buildID: 20130902131354) and latest Nightly (buildID: 20130903030201). Still a few crashes in Socorro in Firefox 24 beta 7, but less and less with each beta. I think there is safe to call this verified fixed.
https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-09-03&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29&version=Firefox%3A24.0b7
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: