Closed Bug 995982 Opened 10 years ago Closed 10 years ago

crash in `anonymous namespace''::TypedArrayObjectTemplate<unsigned char>::fromArray(JSContext*, JS::Handle<JSObject*>)

Categories

(Core :: JavaScript Engine, defect, P1)

31 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 993768
Tracking Status
firefox31 - affected

People

(Reporter: lizzard, Assigned: bhackett1024)

References

()

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file, 2 obsolete files)

This bug was filed from the Socorro interface and is 
report bp-24b339d9-e3f8-4aa7-9d88-cab242140413.
=============================================================

This crash signature first appeared on 3-11-2014 on Firefox 31.0a1 and caused 56 out of 11686 crashes in the last 7 days.  

More reports: 
https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2014-04-14&signature=%60anonymous+namespace%27%27%3A%3ATypedArrayObjectTemplate%3Cunsigned+char%3E%3A%3AfromArray%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%29&version=Firefox%3A31.0a1#tab-reports

A similar crash started showing up on 31.0a1, with 96 out of 11686 crashes in the last 7 days. 

https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2014-04-14&signature=%60anonymous+namespace%27%27%3A%3ATypedArrayObjectTemplate%3Cunsigned+char%3E%3A%3AcopyFromArray%28JSContext%2A%2C+JS%3A%3AHandle%3CJSObject%2A%3E%2C+JS%3A%3AHandle%3CJSObject%2A%3E%2C+unsigned+int%2C+unsigned+int%29&version=Firefox%3A31.0a1

From the URLs reported they look related to pdf.js.   

stack:
0 		@0xd31b6ea 	
1 	mozjs.dll 	`anonymous namespace'::TypedArrayObjectTemplate<unsigned char>::fromArray(JSContext *,JS::Handle<JSObject *>) 	js/src/vm/TypedArrayObject.cpp
2 	mozjs.dll 	`anonymous namespace'::TypedArrayObjectTemplate<unsigned char>::create(JSContext *,JS::CallArgs const &) 	js/src/vm/TypedArrayObject.cpp
3 	mozjs.dll 	js::jit::OperatorIn(JSContext *,JS::Handle<JS::Value>,JS::Handle<JSObject *>,bool *) 	js/src/jit/VMFunctions.cpp

URLs:
6 	http://www.pm.ma.gov.br/bg/Boletins%20de%20Inclus%C3%A3o/ADIT%20BG%20010%20DE...
5 	http://www.math.uwaterloo.ca/~mscott/euler.htm
5 	http://www.physics.umd.edu/courses/Phys260/ji/HW9.PDF
4 	https://blackboard.louisville.edu/bbcswebdav/pid-7559315-dt-content-rid-11806...
4 	http://www.math.uwaterloo.ca/%7Emscott/138_Week7.pdf
4 	http://www.balcescucj.ro/onf/files/comisia_centrala.pdf
3 	http://www.fireye.com/Documents/C400.pdf
Last good nightly: 2014-04-07
First bad nightly: 2014-04-08

Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5405d6f4e3c6&tochange=8883360b1edb
bhackett, maybe this is related to your changes?
Flags: needinfo?(sphink)
Flags: needinfo?(bhackett1024)
Backing out the following solved the issue:

d5b0e9e6a849	Brian Hackett — Bug 987508 - Create array buffers lazily for small typed arrays, r=sfink.
Blocks: 987508
Component: PDF Viewer → JavaScript Engine
OS: Windows NT → All
Product: Firefox → Core
Hardware: x86 → All
Version: unspecified → 31 Branch
Assignee: nobody → bhackett1024
Priority: -- → P1
Attached patch patch (obsolete) — Splinter Review
This fixes the crash for me.  When allocating typed array objects in the nursery, forwarding pointers weren't being set up properly.
Attachment #8406546 - Flags: review?(sphink)
Flags: needinfo?(bhackett1024)
Wow, that was fast! You are all awesome!
Attached patch updated (obsolete) — Splinter Review
Fix for the last patch, we need to make sure there is space available to store the forwarding pointer.
Attachment #8406546 - Attachment is obsolete: true
Attachment #8406546 - Flags: review?(sphink)
Attachment #8406949 - Flags: review?(sphink)
Attachment #8406949 - Flags: review?(sphink) → review+
Attached patch rebasedSplinter Review
Updated/rebased patch, also fixes dumb Max/Min confusion.
Attachment #8406949 - Attachment is obsolete: true
Attachment #8411215 - Flags: review+
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/208bcb7879c0

*Please* make sure your patches include commit information when requesting checkin.
Keywords: checkin-needed
I had to back this out in http://hg.mozilla.org/integration/mozilla-inbound/rev/2e62324ea929 for assertions in mochitest-1 runs: https://tbpl.mozilla.org/php/getParsedLog.php?id=38350366&tree=Mozilla-Inbound


Assertion failure: isInside(oldData) == (oldData == src->fixedData(TypedArrayObject::FIXED_DATA_START)), at c:\builds\moz2_slave\m-in-w32-d-0000000000000000000\build\js\src\gc/Nursery.cpp:577
TEST-UNEXPECTED-FAIL | /tests/content/media/webaudio/test/test_bug867174.html | application terminated with exit code 2147483651
PROCESS-CRASH | /tests/content/media/webaudio/test/test_bug867174.html | application crashed [@ js::Nursery::moveObjectToTenured(JSObject *,JSObject *,js::gc::AllocKind)]
Return code: 1
Flags: needinfo?(bhackett1024)
It looks like Jon Coppeard fixed this in bug 993768.  This patch had yet another dumb confusion (src/dst) that caused the assertion failure.
Flags: needinfo?(bhackett1024)
Brian, reading your comment 11, I am not sure what you mean. Is that bug fixed by bug 993768 or the failure which caused the backout?
Flags: needinfo?(bhackett1024)
(In reply to Sylvestre Ledru [:sylvestre] from comment #12)
> Brian, reading your comment 11, I am not sure what you mean. Is that bug
> fixed by bug 993768 or the failure which caused the backout?

Bug 993768 fixed this bug.
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(sphink)
You need to log in before you can comment on or make changes to this bug.