Closed Bug 884053 Opened 11 years ago Closed 11 years ago

crash in js::CreateThisForFunctionWithProto @ js::types::TypeSet::hasType

Categories

(Core :: JavaScript Engine, defect)

24 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla25
Tracking Status
firefox23 --- unaffected
firefox24 + verified

People

(Reporter: scoobidiver, Assigned: bhackett1024)

References

()

Details

(4 keywords)

Crash Data

Attachments

(1 file)

With the stack trace below, it first showed up in 24.0a1/20130615. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317 Signature js::types::TypeSet::hasType(js::types::Type) More Reports Search UUID 9da3791b-ed06-4052-bee1-235d62130617 Date Processed 2013-06-17 19:57:46 Uptime 15 Last Crash 34 seconds before submission Install Age 15 seconds since version was first installed. Install Time 2013-06-17 19:57:25 Product Firefox Version 24.0a1 Build ID 20130617031112 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x56a1 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0de0, AdapterSubsysID: 00000000, AdapterDriverVersion: 9.18.13.1407 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ Processor Notes sp-processor05_phx1_mozilla_com_25008:2012 EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x0de0 Total Virtual Memory 4294836224 Available Virtual Memory 3673063424 System Memory Use Percentage 36 Available Page File 6777159680 Available Physical Memory 2732924928 Frame Module Signature Source 0 mozjs.dll js::types::TypeSet::hasType js/src/jsinferinlines.h:1318 1 mozjs.dll js::CreateThisForFunctionWithProto js/src/jsobj.cpp:1556 2 mozjs.dll js::ion::CreateThisForFunctionWithProtoWrapper js/src/ion/CodeGenerator.cpp:3106 3 mozjs.dll js::CloneFunctionObject js/src/jsfun.cpp:1550 4 mozjs.dll js::Lambda js/src/vm/Interpreter.cpp:3200 5 @0xffffff82 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29
It's #4 top browser crasher in today's build.
Keywords: topcrash
CCing :naveed to see if he can help find an assignee here and see if anything in the regression range could be an obvious bug ?
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::addType(JSContext*, js::types::Type)]
OS: Windows 7 → All
It accounts for 6% of crashes over the last three builds. Tracy, can you provide URLs only for 24.0a1 because crashes with this signature in previous versions are unrelated?
Flags: needinfo?(twalker)
Keywords: needURLs
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::addType(JSContext*, js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)] [@ js::types::TypeSet::addType(JSContext*, js::types::Type)] [@ js::types::TypeScript::SetThis(JSContext*, JSScript*, js::types::Type)]
Keywords: needURLs
STR Open URL Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911 Pushlog http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4 Regressed by : Bug 678037
Attached patch patch (deleted) — Splinter Review
I think this will fix these crashes, there is an incorrect use of nonLazyScript() on that stack.
Assignee: general → bhackett1024
Attachment #766760 - Flags: review?(luke)
Attachment #766760 - Flags: review?(luke) → review+
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
It was #4 top browser crasher in 24.0a1. An uplift to Aurora would be fine before 24.0a2 is released.
For some reasons, there are no crashes with this signature after 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The working range is: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69 Is it indirectly fixed by bug 886660?
Whiteboard: [workingwindow-wanted]
(In reply to Scoobidiver from comment #11) > For some reasons, there are no crashes with this signature after > 24.0a2/201360626 and I can't reproduce it in Aurora with the ref. URL. The > working range is: > http://hg.mozilla.org/releases/mozilla-aurora/ > pushloghtml?fromchange=17666746e8cc&tochange=67b0221cbd69 > Is it indirectly fixed by bug 886660? Fixed window (aurora) Bad: http://hg.mozilla.org/releases/mozilla-aurora/rev/67b0221cbd69 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626140739 Good: http://hg.mozilla.org/releases/mozilla-aurora/rev/d5940f917a9a Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130626 Firefox/24.0 ID:20130626180956 Fixed pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=67b0221cbd69&tochange=d5940f917a9a I guess; Fixed by: dbba940275aa Kannan Vijayan — Bug 883973 - Disable heavyweight function inlining. r=dvander, a=bajaj
Depends on: 883973
Whiteboard: [workingwindow-wanted]
Do you still want to uplift the null check based on comment 12?
Flags: needinfo?(bhackett1024)
(In reply to Scoobidiver from comment #13) > Do you still want to uplift the null check based on comment 12? I think if the signature is no longer crashing then the uplift shouldn't be needed.
Flags: needinfo?(bhackett1024)
Marking as fixed in 24.0 per comment 12.
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 Unable to crash Firefox 24 beta 8 (buildID: 20130902131354) and latest Nightly (buildID: 20130903030201). Still a few crashes in Socorro in Firefox 24 beta 7, but less and less with each beta. I think there is safe to call this verified fixed. https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-09-03&signature=js%3A%3Atypes%3A%3ATypeSet%3A%3AhasType%28js%3A%3Atypes%3A%3AType%29&version=Firefox%3A24.0b7
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: