Closed
Bug 500108
Opened 15 years ago
Closed 15 years ago
Deep abort is not detected in JSOP_IN [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2a1
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
People
(Reporter: samuel.sidler+old, Assigned: gal)
References
()
Details
(Keywords: crash, topcrash, verified1.9.1.1, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(2 files)
7.07 KB,
text/plain
|
Details | |
868 bytes,
patch
|
dvander
:
review+
samuel.sidler+old
:
approval1.9.1.1+
|
Details | Diff | Splinter Review |
The current #7 (earlier today #8) top crash in Firefox 3.5 RC happens with a signature of TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*). This crash happens across platforms (Windows and Mac). The majority of the stacks look like this, from bp-86691c70-423b-4957-9637-3f4c02090623: Frame Module Signature Source 0 js3250.dll TraceRecorder::emitIf(unsigned char*,bool,nanojit::LIns*) js/src/jstracer.cpp:3323 1 js3250.dll TraceRecorder::record_JSOP_IN() js/src/jstracer.cpp:9712 2 js3250.dll js3250.dll@0x826df However, a number of stacks look like this, from bp-64284f2b-0190-4720-8707-d8d652090623: Frame Module Signature Source 0 libmozjs.dylib TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*) js/src/jstracer.cpp:3323 1 libmozjs.dylib TraceRecorder::fuseIf(unsigned char*, bool, nanojit::LIns*) js/src/jstracer.cpp:3357 2 libmozjs.dylib TraceRecorder::record_JSOP_IN() js/src/jstracer.cpp:9712 3 libmozjs.dylib TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) js/src/jsopcode.tbl:281 4 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:3046 5 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 6 XUL nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697 7 XUL nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjs.cpp:561 8 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 9 XUL PrepareAndDispatch 10 XUL nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) content/base/src/nsContentPolicy.cpp:157 11 XUL nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) nsContentPolicyUtils.h:223 12 XUL nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:911 13 XUL nsObjectFrame::Instantiate(char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:1818 14 XUL nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) content/base/src/nsObjectLoadingContent.cpp:1768 15 XUL nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) content/base/src/nsObjectLoadingContent.cpp:783 16 XUL nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) dom/src/base/nsDOMClassInfo.cpp:9251 17 XUL nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) dom/src/base/nsDOMClassInfo.cpp:9792 18 XUL XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) js/src/xpconnect/src/XPCWrapper.cpp:406 19 XUL XPC_NW_NewResolve js/src/xpconnect/src/XPCNativeWrapper.cpp:748 20 libmozjs.dylib js_LookupPropertyWithFlags js/src/jsobj.cpp:3850 21 libmozjs.dylib js_FindProperty js/src/jsobj.cpp:3773 22 libmozjs.dylib TraceRecorder::record_JSOP_IN() js/src/jstracer.cpp:9704 23 libmozjs.dylib TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) js/src/jsopcode.tbl:281 24 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:3046 25 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 26 XUL nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697 27 XUL nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjs.cpp:561 28 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 29 XUL PrepareAndDispatch 30 XUL nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) content/base/src/nsContentPolicy.cpp:157 31 XUL nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) nsContentPolicyUtils.h:223 32 XUL nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:911 33 XUL nsObjectFrame::Instantiate(char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:1818 34 XUL nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) content/base/src/nsObjectLoadingContent.cpp:1768 35 XUL nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) content/base/src/nsObjectLoadingContent.cpp:783 36 XUL nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) dom/src/base/nsDOMClassInfo.cpp:9251 37 XUL nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) dom/src/base/nsDOMClassInfo.cpp:9792 38 XUL XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) js/src/xpconnect/src/XPCWrapper.cpp:406 39 XUL XPC_NW_NewResolve js/src/xpconnect/src/XPCNativeWrapper.cpp:748 40 libmozjs.dylib js_LookupPropertyWithFlags js/src/jsobj.cpp:3850 41 libmozjs.dylib js_FindProperty js/src/jsobj.cpp:3773 42 libmozjs.dylib TraceRecorder::record_JSOP_IN() js/src/jstracer.cpp:9704 43 libmozjs.dylib TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) js/src/jsopcode.tbl:281 44 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:3046 45 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 46 XUL nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697 47 XUL nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjs.cpp:561 48 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 49 XUL PrepareAndDispatch 50 XUL nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) content/base/src/nsContentPolicy.cpp:157 51 XUL nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) nsContentPolicyUtils.h:223 52 XUL nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:911 53 XUL nsObjectFrame::Instantiate(char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:1818 54 XUL nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) content/base/src/nsObjectLoadingContent.cpp:1768 55 XUL nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) content/base/src/nsObjectLoadingContent.cpp:783 56 XUL nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) dom/src/base/nsDOMClassInfo.cpp:9251 57 XUL nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) dom/src/base/nsDOMClassInfo.cpp:9792 58 XUL XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) js/src/xpconnect/src/XPCWrapper.cpp:406 59 XUL XPC_NW_NewResolve js/src/xpconnect/src/XPCNativeWrapper.cpp:748 60 libmozjs.dylib js_LookupPropertyWithFlags js/src/jsobj.cpp:3850 61 libmozjs.dylib js_FindProperty js/src/jsobj.cpp:3773 62 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:3415 63 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 64 XUL nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697 65 XUL nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjs.cpp:561 66 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 67 XUL PrepareAndDispatch 68 XUL nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) content/base/src/nsContentPolicy.cpp:157 69 XUL nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) nsContentPolicyUtils.h:223 70 XUL nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:911 71 XUL nsObjectFrame::Instantiate(char const*, nsIURI*) layout/generic/nsObjectFrame.cpp:1818 72 XUL nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) content/base/src/nsObjectLoadingContent.cpp:1768 73 XUL nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) content/base/src/nsObjectLoadingContent.cpp:783 74 XUL nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) dom/src/base/nsDOMClassInfo.cpp:9251 75 XUL nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) dom/src/base/nsDOMClassInfo.cpp:9792 76 XUL XPC_WN_Helper_NewResolve js/src/xpconnect/src/xpcwrappednativejsops.cpp:1074 77 libmozjs.dylib js_LookupPropertyWithFlags js/src/jsobj.cpp:3850 78 libmozjs.dylib js_GetPropertyHelper js/src/jsobj.cpp:4257 79 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:4449 80 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 81 libmozjs.dylib js_fun_call js/src/jsfun.cpp:1985 82 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5147 83 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 84 libmozjs.dylib js_fun_call js/src/jsfun.cpp:1985 85 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5147 86 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 87 libmozjs.dylib js_fun_call js/src/jsfun.cpp:1985 88 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5147 89 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 90 XUL nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697 91 XUL nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/src/xpconnect/src/xpcwrappedjs.cpp:561 92 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 93 XUL PrepareAndDispatch 94 XUL nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsPIDOMEventTarget*, unsigned int) content/events/src/nsEventListenerManager.cpp:1098 95 XUL nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsPIDOMEventTarget*, unsigned int, nsEventStatus*) content/events/src/nsEventListenerManager.cpp:1206 96 XUL nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, int) content/events/src/nsEventDispatcher.cpp:236 97 XUL nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, int) content/events/src/nsEventDispatcher.cpp:300 98 XUL nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) content/events/src/nsEventDispatcher.cpp:514 99 XUL nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) content/events/src/nsEventDispatcher.cpp:576 100 XUL nsDocument::DispatchEvent(nsIDOMEvent*, int*) content/base/src/nsDocument.cpp:6178 155 AppKit _DPSNextEvent 156 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 157 AppKit -[NSApplication run] 158 XUL nsAppShell::Run() widget/src/cocoa/nsAppShell.mm:720 159 XUL nsAppStartup::Run() toolkit/components/startup/src/nsAppStartup.cpp:193 160 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3298 161 firefox-bin main browser/app/nsBrowserApp.cpp:156 162 firefox-bin firefox-bin@0x1541 163 firefox-bin firefox-bin@0x1468 164 @0x1 I'm hoping that second one is more helpful... Lars, can you pull out URLs for this topcrash? Feel free to put them in a new, private bug for privacy issues.
Reporter | ||
Updated•15 years ago
|
Severity: normal → critical
Reporter | ||
Comment 1•15 years ago
|
||
bp-b2082d60-2d00-4ccd-b035-c91e82090623 also offers a slightly different version of the second stack in comment 0.
Assignee | ||
Comment 2•15 years ago
|
||
Assuming I got hold of the right source version, the bug occurs here: 3320 TraceRecorder::emitIf(jsbytecode* pc, bool cond, LIns* x) 3321 { 3322 ExitType exitType; 3323 if (js_IsLoopEdge(pc, (jsbytecode*)fragment->root->ip)) { 3324 exitType = LOOP_EXIT; This smells like fragment->root being NULL or invalid. NULL would be a safe crash. invalid would be worse. The urls would be very useful. This might be an OOM condition issue. Adding graydon who did most of the blacklisting work and reviewing.
Flags: blocking1.9.2?
Assignee | ||
Updated•15 years ago
|
Flags: wanted1.9.1.x?
Assignee | ||
Comment 3•15 years ago
|
||
From the stack it looks like we have more than one recorder active. Thats a bit sketchy. This should be reproducible from the URLs.
Comment 4•15 years ago
|
||
Bug 500192 has URLs for Firefox 3.5, 3.5pre and 3.5b99 (in that order)
Updated•15 years ago
|
Flags: wanted1.9.1.x? → wanted1.9.1.x+
Whiteboard: [3.5.1?]
Assignee | ||
Comment 5•15 years ago
|
||
I had no luck with any of the top 30 urls, but http://www.verycd.com/ appears frequently. Anyone else wants to give this a shot?
Comment 6•15 years ago
|
||
(In reply to comment #5) > I had no luck with any of the top 30 urls, but > > http://www.verycd.com/ > > appears frequently. Anyone else wants to give this a shot? That's a popular Chinese site btw.
Assignee | ||
Comment 7•15 years ago
|
||
Setting flag. Reproducing this would be great, and bisecting. Still tapping in the dark here.
Keywords: qawanted
Assignee | ||
Comment 8•15 years ago
|
||
Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x10 Layout of Fragment: DWB(Fragment*) treeBranches; 0x00 DWB(Fragment*) branches; 0x04 DWB(Fragment*) nextbranch; 0x08 DWB(Fragment*) anchor; 0x0c DWB(Fragment*) root; 0x10 So fragment->root is NULL as I initially suspected.
Comment 9•15 years ago
|
||
has the automated QA crawler vs. crash URLs been tried?
Comment 10•15 years ago
|
||
I'm running them now, but the crash density is very low. I should have complete results for mac os x (macbook & older xserve), winxp and windows 2003 server soon.
Comment 11•15 years ago
|
||
no crashes or hangs in windows/mac with a build from yesterday.
Comment 12•15 years ago
|
||
I crashed in this stack yesterday using Snow Leopard. http://crash-stats.mozilla.com/report/index/bb8fffe6-47f2-422e-af24-68d682090624 is my breakpad. I crashed after installing several plugins. Here is my machine config: Generated: Thu Jun 25 2009 15:54:30 GMT-0700 (PST) User Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Build ID: 20090624012136 Enabled Extensions: [6] * Adblock Plus 1.0.2 * Firebug 1.4.0b2 * Firecookie 0.8 * FireFTP 1.0.4 * FirePHP 0.3 * MR Tech Toolkit 6.0.3.3 Installed Themes: [1] * Default Installed Plugins: (8) * Default Plugin * Flip4Mac Windows Media Plugin 2.2.3 * Java Embedding Plugin 0.9.7.1 * MoveNetworks Quantum Media Player * Picasa * QuickTime Plug-in 7.6.3 * Shockwave Flash * Silverlight Plug-In
Assignee | ||
Comment 13•15 years ago
|
||
Marcia, can you reproduce the crash?
Comment 14•15 years ago
|
||
Andreas, not yet - trying now. I have the history of the sites I was visiting around the time of the crash but so far no luck, and I am trying some of the sites in the attachment. Will keep you advised.
Comment 15•15 years ago
|
||
Ok, I can now repro on my machine using these STR: 1. Visit http://www.wetanz.com/boromir-son-of-denethor-figure/ 2. Select the spyglass in the picture. I crash every time.
Comment 16•15 years ago
|
||
I should note that I can repro the crash on the Mac 10.6 lab machine with the config listed in Comment 12. I haven't been able to repro the crash on my 10.5 machine with my current profile.
Assignee | ||
Comment 17•15 years ago
|
||
I tried this with my TM tip debug build. No crash. We will have to do this with your 10.6 box. Do you have access to debug builds for 1.9.1? We should try to catch the crash with a debug build in gdb and then debug it on scene.
Comment 18•15 years ago
|
||
I disabled Firebug on the 10.6 machine and that seems to eliminate the crash. Should we still go ahead with a debug build on the 10.6 machine? A 10.4 machine running with Firebug and RC3 does not crash.
Assignee | ||
Comment 19•15 years ago
|
||
My gut feeling is that the bug is not 10.6 specific, its just exposed there for some reason but not on the 10.4 box. So if you can go ahead and try to capture this with a debug build on the 10.6 box, that would be great. Thanks!
Comment 20•15 years ago
|
||
Anthony was able to find out that the combination of Firebug and Adblock plus seems to trigger the crash. He is working on a debug build now.
Comment 21•15 years ago
|
||
I believe I have found reliable STR that is reproducible on all platforms (Windows, Mac and Linux): 1. Open Firefox with a new profile 2. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image. 3. Install Firebug from AMO and restart 4. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image. 5. Install Adblock Plus from AMO and restart (subscribe to EasyList USA) 6. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image. 7. Disable Firebug and restart 8. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image. 9. Enable Firebug and disable Adblock Plus then restart 10. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image. 11. Enable Adblock Plus 12. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image. 13. Disable Flash 14. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image. RESULT: No Addons -> Widget works Firebug-only -> Widget works Adblock Plus-only -> Widget works Firebug + Adblock Plus -> CRASH! Disable Flash -> Widget Works
Comment 22•15 years ago
|
||
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090626 Minefield/3.6a1pre Here is the output from my debug build. I marked my actions in the output itself. It should be noted that Minefield just hangs for about a minute then the OSX crash reporter appears (same STR as before).
Comment 23•15 years ago
|
||
(In reply to comment #22) > Created an attachment (id=385425) [details] > Debug Terminal Output > > Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) > Gecko/20090626 Minefield/3.6a1pre > > Here is the output from my debug build. I marked my actions in the output > itself. It should be noted that Minefield just hangs for about a minute then > the OSX crash reporter appears (same STR as before). Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090626 Shiretoko/3.5pre I can repro simply by installing Firebug and Adblock Plus (easylist US) at one go, heading to http://www.wetanz.com/boromir-son-of-denethor-figure/ then clicking on the Zoom button. CC'ing testcase-reducer-expert Jesse. :) ref bp-e28c7a2a-d6ef-4ef5-a33f-92b4d2090626
Assignee | ||
Comment 24•15 years ago
|
||
Anthony: the 1 minute delay with debug builds is "normal". It seems macosx is scanning the symbol tables in the debug build to produce the crash report. That seems to take forever. Its very annoying, but we see it all the time.
Updated•15 years ago
|
Flags: blocking1.9.2?
Flags: blocking1.9.2+
Flags: blocking1.9.1.1?
Whiteboard: [3.5.1?]
Comment 25•15 years ago
|
||
> I can repro simply by installing Firebug and Adblock Plus (easylist US) at one
> go, heading to http://www.wetanz.com/boromir-son-of-denethor-figure/ then
> clicking on the Zoom button.
Correct. All that is required to reproduce the crash is Firefox, Adblock Plus, Firebug, and Flash. My original STR was to prove all variables required to make this crash. Sorry if the STR seemed a bit lengthy.
Assignee | ||
Comment 26•15 years ago
|
||
Assignee: general → gal
Assignee | ||
Comment 27•15 years ago
|
||
This is a safe crash (always NULL). No flash or Adblock or Firebug needed, just a JSOP_IN property lookup that deep aborts us. Should be reasonably rare though. We can easily fix this for 3.5.1. Great job by QA reproducing this. Thanks a lot Marcia and Anthony and Gary. I was easily able to catch this in GDB with your STR.
Assignee | ||
Updated•15 years ago
|
Attachment #385501 -
Flags: review?(dvander)
Updated•15 years ago
|
Attachment #385501 -
Flags: review?(dvander) → review+
Assignee | ||
Updated•15 years ago
|
Priority: -- → P2
Summary: top crash [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)] → Deep abort is not detected in JSOP_IN
Target Milestone: --- → mozilla1.9.1
Updated•15 years ago
|
Priority: P2 → --
Summary: Deep abort is not detected in JSOP_IN → top crash [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]
Target Milestone: mozilla1.9.1 → ---
Assignee | ||
Updated•15 years ago
|
Summary: top crash [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)] → Deep abort is not detected in JSOP_IN
Assignee | ||
Comment 28•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/71e3e7b40341
Whiteboard: fixed-in-tracemonkey
Comment 29•15 years ago
|
||
Assertion failure: x->oprnd2() == lirbuf->sp || x->oprnd2() == lirbuf->state, at /Users/skywalker/comm-central/mozilla/js/src/jstracer.cpp:2312 Btw, I only needed to install Adblock Plus to trigger that assertion above (fatal in debug) when clicking the spyglass. Somehow Firebug turns that assertion above into a crash. Which explains why a optimized nightly requires Firebug. I'm still trying to get a local testcase though, the site apparently doesn't use XHR...
Keywords: testcase-wanted
Assignee | ||
Comment 30•15 years ago
|
||
Gary, the assert is with or without the patch?
Comment 31•15 years ago
|
||
(In reply to comment #30) > Gary, the assert is with or without the patch? Sorry forgot to mention, it's on Shiretoko 1.9.1, which is without the patch.
Comment 32•15 years ago
|
||
If I'm expected to relnote this, I need an English description of the problem. So far I honestly can't determine where we expect this crash to occur based on the previous comments in this bug. Is it Snow Leopard specific or not?
Comment 33•15 years ago
|
||
(In reply to comment #32) > If I'm expected to relnote this, I need an English description of the problem. > So far I honestly can't determine where we expect this crash to occur based on > the previous comments in this bug. Is it Snow Leopard specific or not? Speaking to the OS question, I was able to reproduce it on all platforms.
Comment 34•15 years ago
|
||
This bug affects all platforms and is currently the #29 top crash for 3.5 on crash-stats. Comment 25 describes the three criteria that are needed: Adblock Plus, Firebug, and Flash. Certain sites such as tmobile and woot.com are referenced in the crash comments. (In reply to comment #32) > If I'm expected to relnote this, I need an English description of the problem. > So far I honestly can't determine where we expect this crash to occur based on > the previous comments in this bug. Is it Snow Leopard specific or not?
Flags: blocking1.9.1.1? → blocking1.9.1.1+
Assignee | ||
Comment 35•15 years ago
|
||
Adblock Plus, Firebug and Flash are not needed. They are only needed for the specific reproducible test case. This can also happen under different circumstances without them.
Updated•15 years ago
|
Flags: blocking1.9.1.1+ → blocking1.9.1.1?
Comment 40•15 years ago
|
||
This is topcrash 48 in the 3.5 release, looks like possibly the sole tracemonkey culprit in the top 100, at the moment? ref d8512612-d8a2-433b-b908-90d122090630 etc.
Summary: Deep abort is not detected in JSOP_IN → Deep abort is not detected in JSOP_IN [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]
Comment 41•15 years ago
|
||
this was merged on june 30, 2009 http://hg.mozilla.org/mozilla-central/rev/71e3e7b40341
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 42•15 years ago
|
||
Let's get this in 1.9.1.1 since it fixes a topcrash. Andreas: Does this patch apply cleanly? Please request approval on an appropriate patch.
Flags: blocking1.9.1.1? → blocking1.9.1.1+
Reporter | ||
Comment 43•15 years ago
|
||
Andreas: Ping on comment 42.
Updated•15 years ago
|
Keywords: fixed1.9.1.1
Updated•15 years ago
|
Attachment #385501 -
Flags: approval1.9.1.1?
Reporter | ||
Updated•15 years ago
|
Attachment #385501 -
Flags: approval1.9.1.1? → approval1.9.1.1+
Comment 45•15 years ago
|
||
Andreas/dvander: can you verify that this is fixed in latest-mozilla1.9.1 nightly or better yet the 3.5.1 release candidate: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.5.1-candidates/build1/
Assignee | ||
Comment 46•15 years ago
|
||
Verified using 3.5.1 candidate build (MacOSX).
Status: RESOLVED → VERIFIED
Comment 47•15 years ago
|
||
Andreas, checking with 3.5.1 means we have to flip the keyword to verified1.9.1.1. The bug status is set when verifying the bug against the most recent branch (trunk). I'll update the flags.
Status: VERIFIED → RESOLVED
Closed: 15 years ago → 15 years ago
Flags: in-testsuite?
Keywords: fixed1.9.1.1 → verified1.9.1.1
Target Milestone: --- → mozilla1.9.2a1
Assignee | ||
Comment 48•15 years ago
|
||
Thanks Henrik.
Comment 49•15 years ago
|
||
Mass change: adding fixed1.9.2 keyword (This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
Reporter | ||
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
Updated•13 years ago
|
Crash Signature: [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]
Comment 51•11 years ago
|
||
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•