Closed
Bug 481804
Opened 15 years ago
Closed 15 years ago
TM: Crash when repeatedly clicking "up" video list navigation, if Linkification extension is installed [@ js3250.dll@0x90ff3 ]
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
People
(Reporter: fehe, Unassigned)
References
()
Details
(Keywords: crash, regression, Whiteboard: Regression range in comment #2 (MC) and in comment #5 (TM))
Crash Data
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090305 Firefox/3.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090305 Minefield/3.2a1pre With the Linkification extension installed, JIT chrome enabled, and the ABC News video player loaded (the linked URL), if one rapidly clicks the scroll "up" video list navigation arrow on the left-hand side, Minefield crashes with the signature: [@ js3250.dll@0x90ff3 ]: http://crash-stats.mozilla.com/report/index/d30e4c4d-64aa-4960-920e-896982090305 This crash also happens with the latest Tracemonkey nightly build, but the signature is slightly different: [@ js_Interpret ]: http://crash-stats.mozilla.com/report/index/864d61bd-48bb-4247-9697-70edf2090305 The crash occurs only if JIT chrome is enabled. Reproducible: Always Steps to Reproduce: 1. Set javascript.options.jit.chrome to: true 2. Install Linkification 3.5 and restart: https://addons.mozilla.org/en-US/firefox/addon/190 3. Visit the linked URL 4. Once the media player window has fully loaded, quickly and repeatedly click the medial list scroll up arrow on the left-hand side of the media player page, until the browser crashes. 5. Try again with JIT chrome disabled. Browser does not crash. Actual Results: Browser crashes Expected Results: Should function the same as when JIT chrome is not enabled (i.e. should not crash).
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
Version: unspecified → Trunk
Is there no one who can confirm this? I should be easy to reproduce.
Regression range: Works: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090228 Minefield/3.2a1pre ID:20090228034747 http://hg.mozilla.org/mozilla-central/rev/f3d5f4a980a0 Fails: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090301 Minefield/3.2a1pre ID:20090301035004 http://hg.mozilla.org/mozilla-central/rev/ad8d75516c5e
Keywords: regression
Whiteboard: Regression range in comment #2
0 js3250.dll js3250.dll@0x90ff3 1 js3250.dll js_Invoke js/src/jsinterp.cpp:1330 2 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608 3 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:561 4 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 5 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 6 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1079 7 xul.dll xul.dll@0x3277f9 8 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:315 9 xul.dll nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:508 10 @0x402ffff
Comment 4•15 years ago
|
||
for convenience: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f3d5f4a980a0&tochange=ad8d75516c5e
Comment 5•15 years ago
|
||
bp-1f3b9ba6-ac81-45b6-ac19-821bd2090317 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090317 Minefield/3.6a1pre ID:20090317101214 works: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090226 Minefield/3.2a1pre ID:20090226023759 http://hg.mozilla.org/tracemonkey/rev/aea34f524423 fails: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090227 Minefield/3.2a1pre ID:20090227021444 http://hg.mozilla.org/tracemonkey/rev/737ca70d654f => bp-f5992c8e-ee92-44c4-bbf8-32c402090317 Signature js_Interpret UUID f5992c8e-ee92-44c4-bbf8-32c402090317 Time 2009-03-17 00:00:00 Uptime 26 Last Crash 655 seconds before submission Product Firefox Version 3.2a1pre Build ID 20090227021444 Branch 1.9.2 OS Windows NT OS Version 5.1.2600 Service Pack 3 CPU x86 CPU Info GenuineIntel family 15 model 2 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x0 User Comments again Bug 481804 test Processor Notes 0 js3250.dll js_Interpret js/src/jsinterp.cpp:3673 1 js3250.dll js_Invoke js/src/jsinterp.cpp:1336 2 xul.dll nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*,unsigned short,XPTMethodDescriptor const*,nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608 3 xul.dll nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const*,nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjs.cpp:561 4 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 5 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 6 xul.dll nsEventListenerManager::HandleEventSubType(nsListenerStruct*,nsIDOMEventListener*,nsIDOMEvent*,nsPIDOMEventTarget*,unsigned int) content/events/src/nsEventListenerManager.cpp:1079 7 xul.dll xul.dll@0x7817c7 => range: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=aea34f524423&tochange=737ca70d654f
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: Regression range in comment #2 → Regression range in comment #2 (MC) and in comment #5 (TM)
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Comment 6•15 years ago
|
||
we still have this bug?
Comment 7•15 years ago
|
||
the build in comment 5 (http://hg.mozilla.org/tracemonkey/rev/737ca70d654f) still crashes, latest TM hourly build (http://hg.mozilla.org/tracemonkey/rev/5af960879215) does not -> fixed.
Confirmed fixed. Not sure when it would have been fixed, but I can no longer reproduce as of http://hg.mozilla.org/mozilla-central/rev/51f332235f14 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090803 Minefield/3.6a1pre ID:20090803044626
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 9•15 years ago
|
||
actually this got fixed in range http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=46370f001a04&tochange=a36145aabfa9
Comment 10•15 years ago
|
||
Mass change: adding fixed1.9.2 keyword (This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
Updated•13 years ago
|
Crash Signature: [@ js3250.dll@0x90ff3 ]
You need to log in
before you can comment on or make changes to this bug.
Description
•