Closed
Bug 456981
Opened 16 years ago
Closed 16 years ago
TM: Crash at youtube.com on history navigation + NoScript [@ nanojit::LirBufWriter::insImm(int) ]
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
WORKSFORME
mozilla1.9.1b1
People
(Reporter: fehe, Unassigned)
References
()
Details
(Keywords: crash)
Crash Data
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Firefox/2.0.0.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Firefox/2.0.0.11 The circumstances for this bug are similar to Bug 455646 Under very specific conditions, with JIT chrome enabled, Firefox crashes when navigating either forward or backwards (in history) at Youtube.com. The additional conditions are the presence of NoScript and general.useragent.extra.firefox being set to something like Firefox/2.0.0.11. Crash Signature: nanojit::LirBufWriter::insImm(int) http://crash-stats.mozilla.com/report/index/1e3af180-8b07-11dd-bb34-001cc4e2bf68 http://crash-stats.mozilla.com/report/index/c1849051-8b08-11dd-95ea-001a4bd43ef6 Reproducible: Always Steps to Reproduce: 1. Create a new profile 2. Install NoScript 3. Change the value of general.useragent.extra.firefox to Firefox/2.0.0.11 4. Enable javascript.options.jit.chrome (set it to true) 5. Restart Firefox 6. Go to http://www.youtube.com and click a video 7. Right-click the NoScript icon (in the status bar) and select "Temporarily allow all this page" 8. Allow the video to play for about 10 seconds or more then left-click one of the related videos on the right (so it loads in the same tab). 9. Either allow that second video to play for a few seconds then click the Back toolbar button or simply click the Back toolbar button. 10. The result should be a crash.
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
Comment 1•16 years ago
|
||
0 js3250.dll nanojit::LirBufWriter::insImm js/src/nanojit/LIR.cpp:412 1 js3250.dll nanojit::CseFilter::insImm js/src/nanojit/LIR.cpp:1725 2 js3250.dll nanojit::LirWriter::insLoad js/src/nanojit/LIR.cpp:889 3 js3250.dll TraceRecorder::test_property_cache js/src/jstracer.cpp:3524 4 js3250.dll TraceRecorder::prop js/src/jstracer.cpp:5171 5 js3250.dll TraceRecorder::getProp js/src/jstracer.cpp:5295 6 js3250.dll TraceRecorder::getProp js/src/jstracer.cpp:5310 7 js3250.dll TraceRecorder::record_JSOP_GETARGPROP js/src/jstracer.cpp:6583 8 js3250.dll js3250.dll@0x696b0
Keywords: crash
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b1
Comment 2•16 years ago
|
||
LInsp LirBufWriter::insImm(int32_t imm) { if (isS16(imm)) { ensureRoom(1); LInsp l = _buf->next(); l->initOpcode(LIR_short); [crash here] l->setimm16(imm); _buf->commit(1); _buf->_stats.lir++; return l; } else { ensureRoom(2); int32_t* l = (int32_t*)_buf->next(); *l = imm; _buf->commit(1); return ins0(LIR_int); } } David, any comments on this one?
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
A while ago, I opened a tab and, in the middle of loading hotmail, I got a crash with the following signature: [@ nanojit::LirBufWriter::insFar(nanojit::LOpcode, nanojit::LIns*) ] http://crash-stats.mozilla.com/report/index/ef5e72d1-8b11-11dd-97c6-0013211cbf8a Is that pretty much the same as this bug or should I be opening a new bug?
Comment 4•16 years ago
|
||
Yeah thats the same bug with very high probability. Thanks for the report. This will be worked on shortly.
Just discovered that this bug can also be reproduced by moving a tab with active flash content from one window to another. NoScript is still a requirement.
Updated•16 years ago
|
Priority: P1 → P2
> Just discovered that this bug can also be reproduced by moving a tab with > active flash content from one window to another. NoScript is still a > requirement. This is the only crash I'm able to reproduce, but it happens even without the JIT, so I don't think it's related. The original crash might have been fixed already, we haven't synced with mozilla-central yet though. Could you try the latest build from ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/tracemonkey-win32/ ?
@David: you're experiencing this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=458048 As far as the immediate bug goes, it is indeed fixed in the lastest TraceMonkey build. Thanks
Comment 8•16 years ago
|
||
We sync'ed tm and m-c, so this should be fixed now. I'll mark WFM optimistically. /be
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ nanojit::LirBufWriter::insImm(int) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•