Closed Bug 595365 Opened 14 years ago Closed 14 years ago

Google Maps crash on tracemonkey branch [@ JSObject::removeProperty(JSContext*, int) ]

Categories

(Core :: JavaScript Engine, defect, P1)

Other Branch
defect

Tracking

()

RESOLVED FIXED
mozilla2.0b7
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: megabyte, Assigned: brendan)

References

Details

(Keywords: regression, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 2 obsolete files)

I can't repro this locally. I tried a 20100909 TM nightly and a personal build from today. 

The crash signatures look like they might be scope-removal-related, or JM-related.

Can you still repro it now? And what happens if you set 

  javascript.options.methodjit.content = false

in about:config? Does it still crash?
I still get the crash with methodjit disabled, with all jit disabled, and in safe mode with all jit disabled.
I found out that I get the crash if I'm logged in, but not if I'm not.  I believe this must be due to Labs features being enabled.  I can trigger the crash easily when not logged in by simply mousing over the Labs icon in the top right corner.
(In reply to comment #3)
> I found out that I get the crash if I'm logged in, but not if I'm not.  I
> believe this must be due to Labs features being enabled.  I can trigger the
> crash easily when not logged in by simply mousing over the Labs icon in the top
> right corner.

Can you say more about which Labs features? Maybe steps to reproduce (even if not minimal)?

This looks like fallout from bug 558451.

/be
Assignee: general → brendan
Blocks: 588451
It actually doesn't take any specific Labs feature (it crashes before that).

Step 1. Load maps.google.com
Step 2. Mouse over the labs icon
Blocks: 558451
No longer blocks: 588451
This crashes for me with all JITs disabled.
OS: Windows 7 → All
Hardware: x86_64 → All
blocking2.0: --- → beta6+
STR: just mouse over the little potion with "New!" next to it in the upper right. You might have to be logged in to a Google account.

Could be the same as bug 592214.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Rats.

/be
Status: REOPENED → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla2.0b6
Attached patch fix (obsolete) — Splinter Review
I may push this to tm and m-c ahead of review, to avoid nightly build user pain.

/be
Attachment #474477 - Flags: review?(jorendorff)
Attached patch fix (obsolete) — Splinter Review
Use obj not pobj in add2dictfills reject-propcache-fill case.

/be
Attachment #474477 - Attachment is obsolete: true
Attachment #474478 - Flags: review?(jorendorff)
Attachment #474477 - Flags: review?(jorendorff)
Attached patch fixSplinter Review
With typo fix -- thanks to philor for proof-reading.

/be
Attachment #474478 - Attachment is obsolete: true
Attachment #474482 - Flags: review?(jorendorff)
Attachment #474478 - Flags: review?(jorendorff)
Attachment #474482 - Flags: review?(dvander)
Attachment #474482 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/1a5fefbe9f2f
http://hg.mozilla.org/mozilla-central/rev/cd3c926a7413

/be
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
I turned off this test in the browser because it uses shapeOf (and fails because of it), which other tests lead me to believe is shell only.

http://hg.mozilla.org/mozilla-central/rev/484bd866905e
Attachment #474482 - Flags: review?(jorendorff) → review+
If this patch has indeed landed on the m-c Trunk build for September 12, 2010, it has fixed things on Google Maps. I have been able to load, get directions, zoom and scroll maps on GMaps on my Win7 system.
Kyle: thanks for fixing jstests.list -- I propagated your change from m-c to tm. Sorry about the orange.

Ray: thanks for confirming.

/be
I filed bug 596128 for a still-reproducable crash that looks similar to the ones reported here.
Ryan, Gavin: new and different bug, I'm on it. Thanks for commenting (and filing, Gavin).

/be
(Maybe not "new" -- perhaps contemporaneous -- but definitely "different".)
Keywords: regression
Blocks: 568275
Blocks: 872381
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: