Closed Bug 991847 Opened 11 years ago Closed 6 years ago

crash in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
31 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox31 + wontfix
firefox47 --- affected
firefox-esr45 --- affected

People

(Reporter: u279076, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is report bp-de527afe-f975-40aa-80df-385642140403. ============================================================= 0 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 1 mozjs.dll js_fun_call(JSContext *,unsigned int,JS::Value *) js/src/jsfun.cpp 2 @0xa0a1fb4 3 @0x1963b110 4 @0x3e910e35 More reports: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AInvoke%28JSContext*%2C+JS%3A%3ACallArgs%2C+js%3A%3AMaybeConstruct%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&version=Firefox%3A31.0a1&hang_type=any&date=2014-04-03+18%3A00%3A00&range_value=1#reports This first showed up in Firefox 31.0a1 after GGC was enabled and seems highly correlated to http://www.imvu.com. It is currently #20 @ 0.61% in Nightly. Terrence, can you look into this to see if it's related to GGC?
Flags: needinfo?(terrence)
Couldn't crash http://www.imvu.com/ , 31.0a1 (2014-04-04) Win 7 x64
Summary: [GGC?] crash in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) → crash in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)
Whiteboard: [GGC]
Blocks: 994589
No crashes with this signature reported on builds after 8 Apr.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(terrence)
Resolution: --- → DUPLICATE
No longer tracking
tracking-firefox31: +-
Marking this verified fixed for Firefox 31 given the status of bug 992535.
status-firefox31: affectedverified
I'm reopening this bug and nominating it for tracking. I don't think bug 992535 fixed this signature as it's rising quite rapidly. In the last 3 days it's up 22 positions to #14, accounting for 0.75% of our Firefox 31 crashes. In the last 7 days it's up 248 positions to #30, accounting for 0.39% of our crashes Firefox 31 crashes. Either this is a new crash with the same signature or bug 992535 hasn't resolved it. I wasn't able to get correlations for this but checking through 20 random reports, 12 of them had fx-searchtest@mozilla.org installed as an extension. Could this be search experiment related?
Status: RESOLVED → REOPENED
status-firefox31: verifiedaffected
tracking-firefox31: -?
Resolution: DUPLICATE → ---
This has [GGC] set in the whiteboard. Given that GGC is off in 31 now, I'm pretty sure something is wrong here. I remember seeing this without GGC and it actually was mostly gone in 31 before we deactivated GGC, so I'm pretty sure that either GGC moves this to a different signature or even fixes it.
Too late for 31. Do we know if it impacts 32 too?
tracking-firefox31: ?-
I get a reproducible crash with this signature, when I run http://peterjensen.github.io/mandelbrot/js/mandelbrot-asm.html on latest nightly using e10s (after pressing "start" and then "use simd"), on linux-64.
Happens with or without e10s actually, so not e10s related.
Alon, can you still reproduce this? Do you have a crash report? Doesn't crash for me on OS X 64-bit with 09/14 Nightly.
Flags: needinfo?(azakai)
Yes, still happens 100% of the time on this machine. Perhaps it's linux64-only? Although I don't see it on another linux64 machine. Here is an example crash: https://crash-stats.mozilla.com/report/index/c7410496-de69-4a90-93b7-a6bc82140916
Flags: needinfo?(azakai)
What I see might be a SIMD-specific issue on my machine (bug 1068331), that just happens to have the same signature as this.
All crashes after re-opening are not related to GGC or GC, so removing those tags.
No longer blocks: 994589
Whiteboard: [GGC]
¡Hola Anthony! Is bp-3dd20fed-f425-4e62-ba9e-f4af02150914 this bug or a different one? ¡Gracias! Steps: - Shutdown Windows 7 without closing Nightly first - Force shutdown upon Nightly's shutdown hang Crashing Thread Frame Module Signature Source 0 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 1 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 2 xul.dll MaybeCallMethod js/src/jsobj.cpp 3 xul.dll JS::OrdinaryToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) js/src/jsobj.cpp 4 xul.dll date_convert js/src/jsdate.cpp 5 xul.dll js::ToNumberSlow(js::ExclusiveContext*, JS::Value, double*) js/src/jsnum.cpp 6 xul.dll js::SubValues(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 7 @0x1718a3c413d
Flags: needinfo?(anthony.s.hughes)
(In reply to alex_mayorga from comment #16) > ¡Hola Anthony! > > Is bp-3dd20fed-f425-4e62-ba9e-f4af02150914 this bug or a different one? This looks like a different crash then what this bug is tracking. Terence, what do you think? Alex, if Terence agrees, please file a new bug.
Flags: needinfo?(anthony.s.hughes) → needinfo?(terrence)
Yes, comment 16, this is definitely a different issue and should have a different bug. A jit or asm peer would need to investigate more, but I could see this happening if forcing shutdown disabled our interrupt overrides while jit-code was still running.
Flags: needinfo?(terrence)
Crash Signature: [@ js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)] → [@ js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)] [@ js::Invoke]
Crash volume for signature 'js::Invoke': - nightly(version 50):0 crashes from 2016-06-06. - aurora (version 49):0 crashes from 2016-06-07. - beta (version 48):0 crashes from 2016-06-06. - release(version 47):1436 crashes from 2016-05-31. - esr (version 45):58 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 0 0 0 0 0 0 0 - release 191 164 203 193 195 220 190 - esr 9 7 7 3 4 9 6 Affected platforms: Windows, Mac OS X, Linux
status-firefox47: --- → affected
status-firefox-esr45: --- → affected

Closing because no crashes reported for 12 weeks.

Status: REOPENED → RESOLVED
Closed: 11 years ago6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.