Closed
Bug 991847
Opened 10 years ago
Closed 5 years ago
crash in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: u279076, Unassigned)
Details
(Keywords: crash, regression)
Crash Data
This bug was filed from the Socorro interface and is report bp-de527afe-f975-40aa-80df-385642140403. ============================================================= 0 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 1 mozjs.dll js_fun_call(JSContext *,unsigned int,JS::Value *) js/src/jsfun.cpp 2 @0xa0a1fb4 3 @0x1963b110 4 @0x3e910e35 More reports: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AInvoke%28JSContext*%2C+JS%3A%3ACallArgs%2C+js%3A%3AMaybeConstruct%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&version=Firefox%3A31.0a1&hang_type=any&date=2014-04-03+18%3A00%3A00&range_value=1#reports This first showed up in Firefox 31.0a1 after GGC was enabled and seems highly correlated to http://www.imvu.com. It is currently #20 @ 0.61% in Nightly. Terrence, can you look into this to see if it's related to GGC?
Flags: needinfo?(terrence)
|
||
Comment 1•10 years ago
|
||
Couldn't crash http://www.imvu.com/ , 31.0a1 (2014-04-04) Win 7 x64
|
||
Updated•10 years ago
|
Summary: [GGC?] crash in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) → crash in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)
Whiteboard: [GGC]
|
||
Comment 2•10 years ago
|
||
No crashes with this signature reported on builds after 8 Apr.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(terrence)
Resolution: --- → DUPLICATE
Marking this verified fixed for Firefox 31 given the status of bug 992535.
I'm reopening this bug and nominating it for tracking. I don't think bug 992535 fixed this signature as it's rising quite rapidly. In the last 3 days it's up 22 positions to #14, accounting for 0.75% of our Firefox 31 crashes. In the last 7 days it's up 248 positions to #30, accounting for 0.39% of our crashes Firefox 31 crashes. Either this is a new crash with the same signature or bug 992535 hasn't resolved it. I wasn't able to get correlations for this but checking through 20 random reports, 12 of them had fx-searchtest@mozilla.org installed as an extension. Could this be search experiment related?
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
||
Comment 6•10 years ago
|
||
This has [GGC] set in the whiteboard. Given that GGC is off in 31 now, I'm pretty sure something is wrong here. I remember seeing this without GGC and it actually was mostly gone in 31 before we deactivated GGC, so I'm pretty sure that either GGC moves this to a different signature or even fixes it.
|
||
Updated•10 years ago
|
|
||
Comment 8•10 years ago
|
||
I get a reproducible crash with this signature, when I run http://peterjensen.github.io/mandelbrot/js/mandelbrot-asm.html on latest nightly using e10s (after pressing "start" and then "use simd"), on linux-64.
|
|
||
Comment 9•10 years ago
|
||
Happens with or without e10s actually, so not e10s related.
|
||
Comment 10•10 years ago
|
||
Alon, can you still reproduce this? Do you have a crash report? Doesn't crash for me on OS X 64-bit with 09/14 Nightly.
Flags: needinfo?(azakai)
|
|
||
Comment 11•10 years ago
|
||
Yes, still happens 100% of the time on this machine. Perhaps it's linux64-only? Although I don't see it on another linux64 machine. Here is an example crash: https://crash-stats.mozilla.com/report/index/c7410496-de69-4a90-93b7-a6bc82140916
Flags: needinfo?(azakai)
|
|
||
Comment 12•10 years ago
|
||
What I see might be a SIMD-specific issue on my machine (bug 1068331), that just happens to have the same signature as this.
|
||
Comment 13•10 years ago
|
||
also happening on a windowx64 machine with this build : https://hg.mozilla.org/mozilla-central/rev/426497473505 crash signatures: https://crash-stats.mozilla.com/report/index/b98cd48d-9104-41b0-8f29-ae9fa2140918
|
||
Comment 14•10 years ago
|
||
I'm getting this sporadically in Dev Edition (Aurora) on Win7x64 - it's always debugger related. https://crash-stats.mozilla.com/report/index/50f46757-d705-4e4c-a4cb-089eb2150114 https://crash-stats.mozilla.com/report/index/2ecf8107-1f07-4240-a45a-1ae1c2150114 https://crash-stats.mozilla.com/report/index/6e9fd0e4-6a6c-4281-8c7b-ee9032150115 https://crash-stats.mozilla.com/report/index/ce440bb2-81ea-48c8-9eb2-5fe922150128
|
|
||
Comment 15•9 years ago
|
||
All crashes after re-opening are not related to GGC or GC, so removing those tags.
No longer blocks: 994589
Whiteboard: [GGC]
|
||
Comment 16•9 years ago
|
||
¡Hola Anthony! Is bp-3dd20fed-f425-4e62-ba9e-f4af02150914 this bug or a different one? ¡Gracias! Steps: - Shutdown Windows 7 without closing Nightly first - Force shutdown upon Nightly's shutdown hang Crashing Thread Frame Module Signature Source 0 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 1 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 2 xul.dll MaybeCallMethod js/src/jsobj.cpp 3 xul.dll JS::OrdinaryToPrimitive(JSContext*, JS::Handle<JSObject*>, JSType, JS::MutableHandle<JS::Value>) js/src/jsobj.cpp 4 xul.dll date_convert js/src/jsdate.cpp 5 xul.dll js::ToNumberSlow(js::ExclusiveContext*, JS::Value, double*) js/src/jsnum.cpp 6 xul.dll js::SubValues(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 7 @0x1718a3c413d
Flags: needinfo?(anthony.s.hughes)
|
Reporter | |
Comment 17•9 years ago
|
||
(In reply to alex_mayorga from comment #16) > ¡Hola Anthony! > > Is bp-3dd20fed-f425-4e62-ba9e-f4af02150914 this bug or a different one? This looks like a different crash then what this bug is tracking. Terence, what do you think? Alex, if Terence agrees, please file a new bug.
Flags: needinfo?(anthony.s.hughes) → needinfo?(terrence)
|
|
||
Comment 18•9 years ago
|
||
Yes, comment 16, this is definitely a different issue and should have a different bug. A jit or asm peer would need to investigate more, but I could see this happening if forcing shutdown disabled our interrupt overrides while jit-code was still running.
Flags: needinfo?(terrence)
|
||
Updated•9 years ago
|
Crash Signature: [@ js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)] → [@ js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)]
[@ js::Invoke]
|
||
Comment 19•8 years ago
|
||
Crash volume for signature 'js::Invoke':
- nightly(version 50):0 crashes from 2016-06-06.
- aurora (version 49):0 crashes from 2016-06-07.
- beta (version 48):0 crashes from 2016-06-06.
- release(version 47):1436 crashes from 2016-05-31.
- esr (version 45):58 crashes from 2016-04-07.
Crash volume on the last weeks:
W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7
- nightly 0 0 0 0 0 0 0
- aurora 0 0 0 0 0 0 0
- beta 0 0 0 0 0 0 0
- release 191 164 203 193 195 220 190
- esr 9 7 7 3 4 9 6
Affected platforms: Windows, Mac OS X, Linux
status-firefox47:
--- → affected
status-firefox-esr45:
--- → affected
|
|
||
Comment 20•5 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•