Closed Bug 500108 Opened 15 years ago Closed 15 years ago

Deep abort is not detected in JSOP_IN [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.1 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: samuel.sidler+old, Assigned: gal)

References

(
URL
)

Details

(Keywords: crash, topcrash, verified1.9.1.1, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(2 files)

Debug Terminal Output
7.07 KB, text/plain
Details
patch
868 bytes, patch
dvander
: review+
samuel.sidler+old
: approval1.9.1.1+
Details | Diff | Splinter Review 
The current #7 (earlier today #8) top crash in Firefox 3.5 RC happens with a signature of TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*).

This crash happens across platforms (Windows and Mac).

The majority of the stacks look like this, from bp-86691c70-423b-4957-9637-3f4c02090623:

Frame  	Module  	Signature  	Source
0 	js3250.dll 	TraceRecorder::emitIf(unsigned char*,bool,nanojit::LIns*) 	js/src/jstracer.cpp:3323
1 	js3250.dll 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9712
2 	js3250.dll 	js3250.dll@0x826df

However, a number of stacks look like this, from bp-64284f2b-0190-4720-8707-d8d652090623:

Frame  	Module  	Signature  	Source
0 	libmozjs.dylib 	TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*) 	js/src/jstracer.cpp:3323
1 	libmozjs.dylib 	TraceRecorder::fuseIf(unsigned char*, bool, nanojit::LIns*) 	js/src/jstracer.cpp:3357
2 	libmozjs.dylib 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9712
3 	libmozjs.dylib 	TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) 	js/src/jsopcode.tbl:281
4 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3046
5 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
6 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
7 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
8 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
9 	XUL 	PrepareAndDispatch 	
10 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
11 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
12 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
13 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
14 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
15 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
16 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
17 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
18 	XUL 	XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) 	js/src/xpconnect/src/XPCWrapper.cpp:406
19 	XUL 	XPC_NW_NewResolve 	js/src/xpconnect/src/XPCNativeWrapper.cpp:748
20 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
21 	libmozjs.dylib 	js_FindProperty 	js/src/jsobj.cpp:3773
22 	libmozjs.dylib 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9704
23 	libmozjs.dylib 	TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) 	js/src/jsopcode.tbl:281
24 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3046
25 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
26 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
27 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
28 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
29 	XUL 	PrepareAndDispatch 	
30 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
31 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
32 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
33 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
34 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
35 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
36 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
37 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
38 	XUL 	XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) 	js/src/xpconnect/src/XPCWrapper.cpp:406
39 	XUL 	XPC_NW_NewResolve 	js/src/xpconnect/src/XPCNativeWrapper.cpp:748
40 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
41 	libmozjs.dylib 	js_FindProperty 	js/src/jsobj.cpp:3773
42 	libmozjs.dylib 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9704
43 	libmozjs.dylib 	TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) 	js/src/jsopcode.tbl:281
44 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3046
45 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
46 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
47 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
48 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
49 	XUL 	PrepareAndDispatch 	
50 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
51 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
52 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
53 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
54 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
55 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
56 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
57 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
58 	XUL 	XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) 	js/src/xpconnect/src/XPCWrapper.cpp:406
59 	XUL 	XPC_NW_NewResolve 	js/src/xpconnect/src/XPCNativeWrapper.cpp:748
60 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
61 	libmozjs.dylib 	js_FindProperty 	js/src/jsobj.cpp:3773
62 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3415
63 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
64 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
65 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
66 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
67 	XUL 	PrepareAndDispatch 	
68 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
69 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
70 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
71 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
72 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
73 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
74 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
75 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
76 	XUL 	XPC_WN_Helper_NewResolve 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1074
77 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
78 	libmozjs.dylib 	js_GetPropertyHelper 	js/src/jsobj.cpp:4257
79 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:4449
80 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
81 	libmozjs.dylib 	js_fun_call 	js/src/jsfun.cpp:1985
82 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5147
83 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
84 	libmozjs.dylib 	js_fun_call 	js/src/jsfun.cpp:1985
85 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5147
86 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
87 	libmozjs.dylib 	js_fun_call 	js/src/jsfun.cpp:1985
88 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5147
89 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
90 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
91 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
92 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
93 	XUL 	PrepareAndDispatch 	
94 	XUL 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsPIDOMEventTarget*, unsigned int) 	content/events/src/nsEventListenerManager.cpp:1098
95 	XUL 	nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsPIDOMEventTarget*, unsigned int, nsEventStatus*) 	content/events/src/nsEventListenerManager.cpp:1206
96 	XUL 	nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, int) 	content/events/src/nsEventDispatcher.cpp:236
97 	XUL 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, int) 	content/events/src/nsEventDispatcher.cpp:300
98 	XUL 	nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) 	content/events/src/nsEventDispatcher.cpp:514
99 	XUL 	nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) 	content/events/src/nsEventDispatcher.cpp:576
100 	XUL 	nsDocument::DispatchEvent(nsIDOMEvent*, int*) 	content/base/src/nsDocument.cpp:6178
155 	AppKit 	_DPSNextEvent 	
156 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
157 	AppKit 	-[NSApplication run] 	
158 	XUL 	nsAppShell::Run() 	widget/src/cocoa/nsAppShell.mm:720
159 	XUL 	nsAppStartup::Run() 	toolkit/components/startup/src/nsAppStartup.cpp:193
160 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3298
161 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
162 	firefox-bin 	firefox-bin@0x1541 	
163 	firefox-bin 	firefox-bin@0x1468 	
164 		@0x1

I'm hoping that second one is more helpful...

Lars, can you pull out URLs for this topcrash? Feel free to put them in a new, private bug for privacy issues.
Severity: normal → critical
bp-b2082d60-2d00-4ccd-b035-c91e82090623 also offers a slightly different version of the second stack in comment 0.
Assuming I got hold of the right source version, the bug occurs here:

  3320 TraceRecorder::emitIf(jsbytecode* pc, bool cond, LIns* x)
  3321 {
  3322     ExitType exitType;
  3323     if (js_IsLoopEdge(pc, (jsbytecode*)fragment->root->ip)) {
  3324         exitType = LOOP_EXIT;

This smells like fragment->root being NULL or invalid. NULL would be a safe crash. invalid would be worse. The urls would be very useful. This might be an OOM condition issue. Adding graydon who did most of the blacklisting work and reviewing.
Flags: blocking1.9.2?
Flags: wanted1.9.1.x?
From the stack it looks like we have more than one recorder active. Thats a bit sketchy. This should be reproducible from the URLs.
Bug 500192 has URLs for Firefox 3.5, 3.5pre and 3.5b99 (in that order)
Flags: wanted1.9.1.x? → wanted1.9.1.x+
Whiteboard: [3.5.1?]
I had no luck with any of the top 30 urls, but

http://www.verycd.com/

appears frequently. Anyone else wants to give this a shot?
(In reply to comment #5)
> I had no luck with any of the top 30 urls, but
> 
> http://www.verycd.com/
> 
> appears frequently. Anyone else wants to give this a shot?

That's a popular Chinese site btw.
Setting flag. Reproducing this would be great, and bisecting. Still tapping in the dark here.
Keywords: qawanted
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x10

Layout of Fragment:

            DWB(Fragment*) treeBranches; 0x00
            DWB(Fragment*) branches; 0x04
            DWB(Fragment*) nextbranch; 0x08
            DWB(Fragment*) anchor; 0x0c
            DWB(Fragment*) root; 0x10

So fragment->root is NULL as I initially suspected.
has the automated QA crawler vs. crash URLs been tried?
I'm running them now, but the crash density is very low. I should have complete results for mac os x (macbook & older xserve), winxp and windows 2003 server soon.
no crashes or hangs in windows/mac with a build from yesterday.
I crashed in this stack yesterday using Snow Leopard.  http://crash-stats.mozilla.com/report/index/bb8fffe6-47f2-422e-af24-68d682090624 is my breakpad. I crashed after installing several plugins.  Here is my machine config:

Generated: Thu Jun 25 2009 15:54:30 GMT-0700 (PST)
User Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build ID: 20090624012136

Enabled Extensions: [6]

    * Adblock Plus 1.0.2
    * Firebug 1.4.0b2
    * Firecookie 0.8
    * FireFTP 1.0.4
    * FirePHP 0.3
    * MR Tech Toolkit 6.0.3.3

Installed Themes: [1]

    * Default

Installed Plugins: (8)

    * Default Plugin
    * Flip4Mac Windows Media Plugin 2.2.3
    * Java Embedding Plugin 0.9.7.1
    * MoveNetworks Quantum Media Player
    * Picasa
    * QuickTime Plug-in 7.6.3
    * Shockwave Flash
    * Silverlight Plug-In
Marcia, can you reproduce the crash?
Andreas, not yet - trying now. I have the history of the sites I was visiting around the time of the crash but so far no luck, and I am trying some of the sites in the attachment. Will keep you advised.
Ok, I can now repro on my machine using these STR:

1. Visit http://www.wetanz.com/boromir-son-of-denethor-figure/
2. Select the spyglass in the picture. I crash every time.
I should note that I can repro the crash on the Mac 10.6 lab machine with the config listed in Comment 12. I haven't been able to repro the crash on my 10.5 machine with my current profile.
I tried this with my TM tip debug build. No crash. We will have to do this with your 10.6 box. Do you have access to debug builds for 1.9.1? We should try to catch the crash with a debug build in gdb and then debug it on scene.
I disabled Firebug on the 10.6 machine and that seems to eliminate the crash.  Should we still go ahead with a debug build on the 10.6 machine? A 10.4 machine running with Firebug and RC3 does not crash.
My gut feeling is that the bug is not 10.6 specific, its just exposed there for some reason but not on the 10.4 box. So if you can go ahead and try to capture this with a debug build on the 10.6 box, that would be great. Thanks!
Anthony was able to find out that the combination of Firebug and Adblock plus seems to trigger the crash. He is working on a debug build now.
I believe I have found reliable STR that is reproducible on all platforms (Windows, Mac and Linux):

1. Open Firefox with a new profile
2. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
3. Install Firebug from AMO and restart
4. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
5. Install Adblock Plus from AMO and restart (subscribe to EasyList USA)
6. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
7. Disable Firebug and restart
8. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
9. Enable Firebug and disable Adblock Plus then restart
10. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
11. Enable Adblock Plus
12. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
13. Disable Flash
14. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.

RESULT:
No Addons -> Widget works
Firebug-only -> Widget works
Adblock Plus-only -> Widget works
Firebug + Adblock Plus -> CRASH!
Disable Flash -> Widget Works
Attached file Debug Terminal Output 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090626 Minefield/3.6a1pre

Here is the output from my debug build.  I marked my actions in the output itself.  It should be noted that Minefield just hangs for about a minute then the OSX crash reporter appears (same STR as before).
(In reply to comment #22)
> Created an attachment (id=385425) [details]
> Debug Terminal Output
> 
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
> Gecko/20090626 Minefield/3.6a1pre
> 
> Here is the output from my debug build.  I marked my actions in the output
> itself.  It should be noted that Minefield just hangs for about a minute then
> the OSX crash reporter appears (same STR as before).

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090626 Shiretoko/3.5pre

I can repro simply by installing Firebug and Adblock Plus (easylist US) at one go, heading to http://www.wetanz.com/boromir-son-of-denethor-figure/ then clicking on the Zoom button.

CC'ing testcase-reducer-expert Jesse. :)

ref bp-e28c7a2a-d6ef-4ef5-a33f-92b4d2090626
Anthony: the 1 minute delay with debug builds is "normal". It seems macosx is scanning the symbol tables in the debug build to produce the crash report. That seems to take forever. Its very annoying, but we see it all the time.
Flags: blocking1.9.2?
Flags: blocking1.9.2+
Flags: blocking1.9.1.1?
Whiteboard: [3.5.1?]
> I can repro simply by installing Firebug and Adblock Plus (easylist US) at one
> go, heading to http://www.wetanz.com/boromir-son-of-denethor-figure/ then
> clicking on the Zoom button.

Correct.  All that is required to reproduce the crash is Firefox, Adblock Plus, Firebug, and Flash.  My original STR was to prove all variables required to make this crash.  Sorry if the STR seemed a bit lengthy.
Attached patch patchSplinter Review 
Assignee: general → gal

    
    

    
  
This is a safe crash (always NULL). No flash or Adblock or Firebug needed, just a JSOP_IN property lookup that deep aborts us. Should be reasonably rare though. We can easily fix this for 3.5.1.

Great job by QA reproducing this. Thanks a lot Marcia and Anthony and Gary. I was easily able to catch this in GDB with your STR.

    
  

        Attachment #385501 -
        Flags: review?(dvander)

        Attachment #385501 -
        Flags: review?(dvander) → review+

    
  
Priority: -- → P2
Summary: top crash [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)] → Deep abort is not detected in JSOP_IN
Target Milestone: --- → mozilla1.9.1
Priority: P2 → --
Summary: Deep abort is not detected in JSOP_IN → top crash [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]
Target Milestone: mozilla1.9.1 → ---

    
  
Summary: top crash [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)] → Deep abort is not detected in JSOP_IN

    
  
Keywords: qawanted

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/71e3e7b40341
Whiteboard: fixed-in-tracemonkey

    
    

    
  
Assertion failure: x->oprnd2() == lirbuf->sp || x->oprnd2() == lirbuf->state, at /Users/skywalker/comm-central/mozilla/js/src/jstracer.cpp:2312

Btw, I only needed to install Adblock Plus to trigger that assertion above (fatal in debug) when clicking the spyglass. Somehow Firebug turns that assertion above into a crash. Which explains why a optimized nightly requires Firebug. I'm still trying to get a local testcase though, the site apparently doesn't use XHR...
Keywords: testcase-wanted

    
    

    
  
Gary, the assert is with or without the patch?

    
    

    
  
(In reply to comment #30)
> Gary, the assert is with or without the patch?

Sorry forgot to mention, it's on Shiretoko 1.9.1, which is without the patch.
Keywords: relnote

    
    

    
  
If I'm expected to relnote this, I need an English description of the problem. So far I honestly can't determine where we expect this crash to occur based on the previous comments in this bug. Is it Snow Leopard specific or not?

    
    

    
  
(In reply to comment #32)
> If I'm expected to relnote this, I need an English description of the problem.
> So far I honestly can't determine where we expect this crash to occur based on
> the previous comments in this bug. Is it Snow Leopard specific or not?

Speaking to the OS question, I was able to reproduce it on all platforms.

    
    

    
  
This bug affects all platforms and is currently the #29 top crash for 3.5 on crash-stats.  Comment 25 describes the three criteria that are needed: Adblock Plus, Firebug, and Flash. Certain sites such as tmobile and woot.com are referenced in the crash comments. 

(In reply to comment #32)
> If I'm expected to relnote this, I need an English description of the problem.
> So far I honestly can't determine where we expect this crash to occur based on
> the previous comments in this bug. Is it Snow Leopard specific or not?
Flags: blocking1.9.1.1? → blocking1.9.1.1+

    
    

    
  
Adblock Plus, Firebug and Flash are not needed. They are only needed for the specific reproducible test case. This can also happen under different circumstances without them.
Flags: blocking1.9.1.1+ → blocking1.9.1.1?

    
    

    
  
This is topcrash 48 in the 3.5 release, looks like possibly the sole tracemonkey culprit in the top 100, at the moment?

ref d8512612-d8a2-433b-b908-90d122090630 etc.
Summary: Deep abort is not detected in JSOP_IN → Deep abort is not detected in JSOP_IN [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]

    
    

    
  
this was merged on june 30, 2009

http://hg.mozilla.org/mozilla-central/rev/71e3e7b40341
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Let's get this in 1.9.1.1 since it fixes a topcrash. Andreas: Does this patch apply cleanly? Please request approval on an appropriate patch.
Flags: blocking1.9.1.1? → blocking1.9.1.1+

    
    

    
  
Andreas: Ping on comment 42.

    
  
Keywords: fixed1.9.1.1

    
  

        Attachment #385501 -
        Flags: approval1.9.1.1?

        Attachment #385501 -
        Flags: approval1.9.1.1? → approval1.9.1.1+

    
    

    
  
Andreas/dvander: can you verify that this is fixed in latest-mozilla1.9.1 nightly or better yet the 3.5.1 release candidate: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.5.1-candidates/build1/

    
    

    
  
Verified using 3.5.1 candidate build (MacOSX).
Status: RESOLVED → VERIFIED

    
    

    
  
Andreas, checking with 3.5.1 means we have to flip the keyword to verified1.9.1.1. The bug status is set when verifying the bug against the most recent branch (trunk). I'll update the flags.
Status: VERIFIED → RESOLVED
Closed: 15 years ago15 years ago
Flags: in-testsuite?
Keywords: fixed1.9.1.1verified1.9.1.1
Target Milestone: --- → mozilla1.9.2a1

    
    

    
  
Thanks Henrik.

    
    

    
  
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2

    
    

    
  
Removing relnote
Keywords: relnote
Crash Signature: [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]

    
    

    
  
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: