Closed
Bug 884053
Opened 11 years ago
Closed 11 years ago
crash in js::CreateThisForFunctionWithProto @ js::types::TypeSet::hasType
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | verified |
People
(Reporter: scoobidiver, Assigned: bhackett1024)
References
()
Details
(4 keywords)
Crash Data
Attachments
(1 file)
(deleted),
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
With the stack trace below, it first showed up in 24.0a1/20130615. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317
Signature js::types::TypeSet::hasType(js::types::Type) More Reports Search
UUID 9da3791b-ed06-4052-bee1-235d62130617
Date Processed 2013-06-17 19:57:46
Uptime 15
Last Crash 34 seconds before submission
Install Age 15 seconds since version was first installed.
Install Time 2013-06-17 19:57:25
Product Firefox
Version 24.0a1
Build ID 20130617031112
Release Channel nightly
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 23 stepping 10
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x56a1
App Notes
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0de0, AdapterSubsysID: 00000000, AdapterDriverVersion: 9.18.13.1407
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
Processor Notes sp-processor05_phx1_mozilla_com_25008:2012
EMCheckCompatibility True
Adapter Vendor ID 0x10de
Adapter Device ID 0x0de0
Total Virtual Memory 4294836224
Available Virtual Memory 3673063424
System Memory Use Percentage 36
Available Page File 6777159680
Available Physical Memory 2732924928
Frame Module Signature Source
0 mozjs.dll js::types::TypeSet::hasType js/src/jsinferinlines.h:1318
1 mozjs.dll js::CreateThisForFunctionWithProto js/src/jsobj.cpp:1556
2 mozjs.dll js::ion::CreateThisForFunctionWithProtoWrapper js/src/ion/CodeGenerator.cpp:3106
3 mozjs.dll js::CloneFunctionObject js/src/jsfun.cpp:1550
4 mozjs.dll js::Lambda js/src/vm/Interpreter.cpp:3200
5 @0xffffff82
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29
Reporter | ||
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox-esr17:
affected → ---
Reporter | ||
Comment 1•11 years ago
|
||
It's #4 top browser crasher in today's build.
tracking-firefox24:
--- → ?
Keywords: topcrash
Updated•11 years ago
|
Keywords: needURLs,
steps-wanted
Updated•11 years ago
|
Comment 2•11 years ago
|
||
CCing :naveed to see if he can help find an assignee here and see if anything in the regression range could be an obvious bug ?
Comment 3•11 years ago
|
||
Total Count URL
183 https://www.facebook.com/
74 http://www.facebook.com/
61 about:blank
28 https://www.facebook.com/?ref=tn_tnmn
23 https://www.facebook.com/login.php?login_attempt=1
15 https://adwords.google.com/o/Targeting/Explorer?__c=1000000000&__u=1000000000&ideaRequestType=KEYWORD_IDEAS
12 http://www.facebook.com/?ref=tn_tnmn
10 http://www.google.co.in/
8 about:newtab
Keywords: needURLs
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeSet::addType(JSContext*, js::types::Type)]
OS: Windows 7 → All
Reporter | ||
Comment 4•11 years ago
|
||
It accounts for 6% of crashes over the last three builds.
Tracy, can you provide URLs only for 24.0a1 because crashes with this signature in previous versions are unrelated?
Flags: needinfo?(twalker)
Keywords: needURLs
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeSet::addType(JSContext*, js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeSet::addType(JSContext*, js::types::Type)]
[@ js::types::TypeScript::SetThis(JSContext*, JSScript*, js::types::Type)]
Comment 5•11 years ago
|
||
The URL's provided previously were what crash-stats gave me for 24. Here's an updated list:
Total Count URL
239 https://www.facebook.com/
92 about:blank
72 http://www.facebook.com/
36 https://adwords.google.com/o/Targeting/Explorer?__c=1000000000&__u=1000000000&ideaRequestType=KEYWORD_IDEAS
35 https://ssl.gstatic.com/orkut/ads/gen/afci007.html#google_ad_width=300&google_ad_height=250&google_image_size=300x250&google_ad_format=300x250_as_new&google_color_border=ffffff&google_color_bg=ffffff&google_color_text=000000&google_color_link=3767be&googl
35 http://www.orkut.com.br/Main#Home
27 https://www.facebook.com/?ref=tn_tnmn
25 https://www.facebook.com/login.php?login_attempt=1
12 https://www.cmb.fr/banque/assurance/credit-mutuel/web/yc_8462/prive
12 http://www.orkut.co.in/Main#Home
12 http://www.facebook.com/?ref=tn_tnmn
11 https://www.google.com/adsense/app#home
9 https://www.google.com/adsense/app
Flags: needinfo?(twalker)
Reporter | ||
Updated•11 years ago
|
Comment 6•11 years ago
|
||
STR
Open URL
Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911
Pushlog
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4
Regressed by : Bug 678037
Reporter | ||
Updated•11 years ago
|
Blocks: LazyBytecode
Keywords: regressionwindow-wanted
Assignee | ||
Comment 7•11 years ago
|
||
I think this will fix these crashes, there is an incorrect use of nonLazyScript() on that stack.
Assignee: general → bhackett1024
Attachment #766760 -
Flags: review?(luke)
Updated•11 years ago
|
Attachment #766760 -
Flags: review?(luke) → review+
Assignee | ||
Comment 8•11 years ago
|
||
Comment 9•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Reporter | ||
Comment 10•11 years ago
|
||
It was #4 top browser crasher in 24.0a1. An uplift to Aurora would be fine before 24.0a2 is released.
Reporter | ||
Comment 11•11 years ago
|
||
For some reasons, there are no crashes with this signature after 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The working range is:
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69
Is it indirectly fixed by bug 886660?
Whiteboard: [workingwindow-wanted]
Comment 12•11 years ago
|
||
(In reply to Scoobidiver from comment #11)
> For some reasons, there are no crashes with this signature after
> 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The
> working range is:
> http://hg.mozilla.org/releases/mozilla-aurora/
> pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69
> Is it indirectly fixed by bug 886660?
Fixed window (aurora)
Bad:
http://hg.mozilla.org/releases/mozilla-aurora/rev/67b0221cbd69
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626140739
Good:
http://hg.mozilla.org/releases/mozilla-aurora/rev/d5940f917a9a
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626180956
Fixed pushlog:
http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=67b0221cbd69&tochange=d5940f917a9a
I guess;
Fixed by: dbba940275aa Kannan Vijayan — Bug 883973 - Disable heavyweight function inlining. r=dvander, a=bajaj
Reporter | ||
Comment 13•11 years ago
|
||
Do you still want to uplift the null check based on comment 12?
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 14•11 years ago
|
||
(In reply to Scoobidiver from comment #13)
> Do you still want to uplift the null check based on comment 12?
I think if the signature is no longer crashing then the uplift shouldn't be needed.
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 15•11 years ago
|
||
Marking as fixed in 24.0 per comment 12.
Comment 16•11 years ago
|
||
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Unable to crash Firefox 24 beta 8 (buildID: 20130902131354) and latest Nightly (buildID: 20130903030201). Still a few crashes in Socorro in Firefox 24 beta 7, but less and less with each beta. I think there is safe to call this verified fixed.
https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-09-03&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29&version=Firefox%3A24.0b7
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•