Closed Bug 604818 Opened 14 years ago Closed 14 years ago

Crash in [@ Decompile ]

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 607174
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: marcia, Assigned: dvander)

Details

(Keywords: crash, topcrash, Whiteboard: [to be fixed by 595243?])

Crash Data

Seen while reviewing trunk crash stats. Currently the #20 top crash on the trunk. http://tinyurl.com/2aojopy links to the crashes which are on all platforms. Frame Module Signature [Expand] Source 0 libxul.so Decompile js/src/jsopcode.cpp:3991 1 libxul.so DecompileCode js/src/jsopcode.cpp:4891 2 libxul.so DecompileExpression js/src/jsopcode.cpp:5335 3 libxul.so js_DecompileValueGenerator js/src/jsopcode.cpp:5198 4 libxul.so js_ReportValueErrorFlags js/src/jsopcode.h:484 5 libxul.so js_ReportIsNotFunction js/src/jsfun.cpp:3104 6 libxul.so js::Invoke js/src/jsinterp.cpp:671 7 libxul.so js::mjit::stubs::SlowCall js/src/methodjit/InvokeHelpers.cpp:227 8 libxul.so js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:660 9 @0x7f59fc92a29d
looks like this sigature has been around for awhile for 3.6.x, but the spike on 4.0b8pre might be a new regression appearing on oct. 13 in builds from the 12th 20101010 10 9 3.6.102010091412, 1 3.6.92010082415, 20101011 10 9 3.6.102010091412, 1 3.6.82010072215, 20101012 13 8 3.6.102010091412, 2 3.6.32010040108, 1 3.6.92010082415, 1 3.6.82010072215, 1 3.6.112010100108, 20101013 4 1 4.0b8pre2010101303, 1 4.0b8pre2010101203, 1 3.6.82010072215, 1 3.6.102010091412, 20101014 31 14 4.0b8pre2010101403, 9 3.6.102010091412, 5 4.0b8pre2010101321, 2 4.0b8pre2010101322, 1 4.0b62010091408,
Assuming the MXR link for the top stack frame is accurate (http://hg.mozilla.org/tracemonkey/annotate/0b754642eedb/js/src/jsopcode.cpp#l3991) it looks like this while decompiling a JSOP_CALLGLOBAL/GETGLOBAL at the line atom = jp->script->getGlobalAtom(GET_SLOTNO(pc));
I had this happen to me immediately after upgrading from a build from 2010-10-12 to 2010-10-18. As far as I can tell, the culprit was Gmail; it was crashing consistently shortly after launch, but as soon as I killed the Gmail tabs (one Gmail and the other a Google Apps account), it stopped crashing. Then I restored the Gmail tabs but they wouldn't load properly (stopped just before going to the inbox), consistently. Disabling labs worked, then going back worked too... weird issue, I don't understand anything that happened with it. All I know is that it hasn't crashed since. I only reported it the first time it crashed: http://crash-stats.mozilla.com/report/index/bp-6b2968b5-75b4-4a44-a294-885782101019 Ubuntu, 64-bit, nightly PPA.
topcrash number 19 so far, setting blocking request
blocking2.0: --- → ?
Keywords: topcrash
Just had it crash twice more in the past hour and a bit. http://crash-stats.mozilla.com/report/index/bp-dfa6652d-b5f4-49b3-86f9-202d12101020 http://crash-stats.mozilla.com/report/index/bp-f4df11ab-dc23-4ba4-b034-d8ae62101020 Also from earlier today http://crash-stats.mozilla.com/report/index/bp-e0533e66-552d-4c2e-8ca6-3b3e22101019 - but the crash reporter failed there. Presumably the same bug. The only common feature I can think of is that I'm loading page/s from a site while reloading other page/s from the same site.
This is still in the top 20 in today's reports.
Decompile crashes throw suspicion on patches that added or removed JS bytecodes, or changed how an existing bytecode's immediates are encoded, etc. /be
I see one person that reported several crashes on Mac - they were using the following extensions: DOM Inspector inspector@mozilla.org 2.0.8 current Firebug firebug@software.joehewitt.com 1.7X.0a3 1.5.4 Feedly feedly@devhd 3.5 current Flashblock {3d7eb24f-2740-49df-8937-200b1cc08f8a} 1.5.14.2 current Haven't been able to repro but since this was a moz address I will try to find out if the person recalls what they were doing specifically when they crashed.
Assignee: general → dvander
Bug 607196 could be related to this.
blocking2.0: ? → beta8+
Pulling back into beta7, might get pushed back out. Would be good to know how highly correlated Firebug is to this set of crashes.
blocking2.0: beta8+ → beta7+
9 of 10 reports (sorted by highest uptime, actually) had firebug in the extensions list; the other had a blank (probably corrupt?) extensions list. These also seem to be Mac-only.
I suspect that this will be handled by the bugs that make Firebug more stable, exposing JSD properly. Adding reference in whiteboard.
Whiteboard: [to be fixed by 595243?]
Believed related: Bug 551077 - Crash in [@ js_ConcatStrings ] Relevant comment: https://bugzilla.mozilla.org/show_bug.cgi?id=551077#c15 A js_ConcatStrings crash became a Decompile crash (symptoms the same) after 20101025r56422 to 20101026r56482 upgrade. Different symptoms, however, from my earlier Decompile crashes in that it's now at startup rather than at a fairly random time. I'll try disabling Firebug and see if it continues crashing.
With Firebug disabled, I can't reproduce this now. So I think that's a pretty clear indicator that it's JSD that's at fault.
I was able to reproduce this consistently using Chris's instructions. When I applied the patch in bug 607174, the crash went away.
I will dup this bug based on comment 15. Please re-open if you disagree.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Does anyone understand the detailed cause and effect chain that lead from some wrong-compartment jsd bug to this symptom? /be
Crash Signature: [@ Decompile ]
You need to log in before you can comment on or make changes to this bug.