Closed
Bug 604818
Opened 14 years ago
Closed 14 years ago
Crash in [@ Decompile ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 607174
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
People
(Reporter: marcia, Assigned: dvander)
Details
(Keywords: crash, topcrash, Whiteboard: [to be fixed by 595243?])
Crash Data
Seen while reviewing trunk crash stats. Currently the #20 top crash on the trunk. http://tinyurl.com/2aojopy links to the crashes which are on all platforms.
Frame Module Signature [Expand] Source
0 libxul.so Decompile js/src/jsopcode.cpp:3991
1 libxul.so DecompileCode js/src/jsopcode.cpp:4891
2 libxul.so DecompileExpression js/src/jsopcode.cpp:5335
3 libxul.so js_DecompileValueGenerator js/src/jsopcode.cpp:5198
4 libxul.so js_ReportValueErrorFlags js/src/jsopcode.h:484
5 libxul.so js_ReportIsNotFunction js/src/jsfun.cpp:3104
6 libxul.so js::Invoke js/src/jsinterp.cpp:671
7 libxul.so js::mjit::stubs::SlowCall js/src/methodjit/InvokeHelpers.cpp:227
8 libxul.so js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:660
9 @0x7f59fc92a29d
Comment 1•14 years ago
|
||
looks like this sigature has been around for awhile for 3.6.x, but the spike on 4.0b8pre might be a new regression appearing on oct. 13 in builds from the 12th
20101010 10 9 3.6.102010091412,
1 3.6.92010082415,
20101011 10 9 3.6.102010091412,
1 3.6.82010072215,
20101012 13 8 3.6.102010091412,
2 3.6.32010040108, 1 3.6.92010082415,
1 3.6.82010072215, 1 3.6.112010100108,
20101013 4 1 4.0b8pre2010101303,
1 4.0b8pre2010101203, 1 3.6.82010072215,
1 3.6.102010091412,
20101014 31 14 4.0b8pre2010101403,
9 3.6.102010091412, 5 4.0b8pre2010101321,
2 4.0b8pre2010101322, 1 4.0b62010091408,
Comment 2•14 years ago
|
||
Assuming the MXR link for the top stack frame is accurate (http://hg.mozilla.org/tracemonkey/annotate/0b754642eedb/js/src/jsopcode.cpp#l3991) it looks like this while decompiling a JSOP_CALLGLOBAL/GETGLOBAL at the line
atom = jp->script->getGlobalAtom(GET_SLOTNO(pc));
Comment 3•14 years ago
|
||
I had this happen to me immediately after upgrading from a build from 2010-10-12 to 2010-10-18. As far as I can tell, the culprit was Gmail; it was crashing consistently shortly after launch, but as soon as I killed the Gmail tabs (one Gmail and the other a Google Apps account), it stopped crashing.
Then I restored the Gmail tabs but they wouldn't load properly (stopped just before going to the inbox), consistently. Disabling labs worked, then going back worked too... weird issue, I don't understand anything that happened with it. All I know is that it hasn't crashed since.
I only reported it the first time it crashed: http://crash-stats.mozilla.com/report/index/bp-6b2968b5-75b4-4a44-a294-885782101019
Ubuntu, 64-bit, nightly PPA.
Comment 4•14 years ago
|
||
topcrash number 19 so far, setting blocking request
blocking2.0: --- → ?
Keywords: topcrash
Comment 5•14 years ago
|
||
Just had it crash twice more in the past hour and a bit.
http://crash-stats.mozilla.com/report/index/bp-dfa6652d-b5f4-49b3-86f9-202d12101020
http://crash-stats.mozilla.com/report/index/bp-f4df11ab-dc23-4ba4-b034-d8ae62101020
Also from earlier today http://crash-stats.mozilla.com/report/index/bp-e0533e66-552d-4c2e-8ca6-3b3e22101019 - but the crash reporter failed there. Presumably the same bug.
The only common feature I can think of is that I'm loading page/s from a site while reloading other page/s from the same site.
Comment 6•14 years ago
|
||
This is still in the top 20 in today's reports.
Comment 7•14 years ago
|
||
Decompile crashes throw suspicion on patches that added or removed JS bytecodes, or changed how an existing bytecode's immediates are encoded, etc.
/be
Reporter | ||
Comment 8•14 years ago
|
||
I see one person that reported several crashes on Mac - they were using the following extensions:
DOM Inspector inspector@mozilla.org 2.0.8 current
Firebug firebug@software.joehewitt.com 1.7X.0a3 1.5.4
Feedly feedly@devhd 3.5 current
Flashblock {3d7eb24f-2740-49df-8937-200b1cc08f8a} 1.5.14.2 current
Haven't been able to repro but since this was a moz address I will try to find out if the person recalls what they were doing specifically when they crashed.
Updated•14 years ago
|
Assignee: general → dvander
Comment 9•14 years ago
|
||
Bug 607196 could be related to this.
Updated•14 years ago
|
blocking2.0: ? → beta8+
Comment 10•14 years ago
|
||
Pulling back into beta7, might get pushed back out. Would be good to know how highly correlated Firebug is to this set of crashes.
blocking2.0: beta8+ → beta7+
Comment 11•14 years ago
|
||
9 of 10 reports (sorted by highest uptime, actually) had firebug in the extensions list; the other had a blank (probably corrupt?) extensions list.
These also seem to be Mac-only.
Comment 12•14 years ago
|
||
I suspect that this will be handled by the bugs that make Firebug more stable, exposing JSD properly. Adding reference in whiteboard.
Whiteboard: [to be fixed by 595243?]
Comment 13•14 years ago
|
||
Believed related: Bug 551077 - Crash in [@ js_ConcatStrings ]
Relevant comment: https://bugzilla.mozilla.org/show_bug.cgi?id=551077#c15
A js_ConcatStrings crash became a Decompile crash (symptoms the same) after 20101025r56422 to 20101026r56482 upgrade. Different symptoms, however, from my earlier Decompile crashes in that it's now at startup rather than at a fairly random time. I'll try disabling Firebug and see if it continues crashing.
Comment 14•14 years ago
|
||
With Firebug disabled, I can't reproduce this now. So I think that's a pretty clear indicator that it's JSD that's at fault.
I was able to reproduce this consistently using Chris's instructions. When I applied the patch in bug 607174, the crash went away.
Comment 16•14 years ago
|
||
I will dup this bug based on comment 15. Please re-open if you disagree.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Comment 17•14 years ago
|
||
Does anyone understand the detailed cause and effect chain that lead from some wrong-compartment jsd bug to this symptom?
/be
Updated•13 years ago
|
Crash Signature: [@ Decompile ]
You need to log in
before you can comment on or make changes to this bug.
Description
•