Closed Bug 715144 Opened 13 years ago Closed 12 years ago

Crash [@ js::mjit::EnterMethodJIT() ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Steps to reproduce:

export MOZ_NO_REMOTE=1
export NO_EM_RESTART=1
export XPCOM_DEBUG_BREAK=warn
export MOZ_CRASHREPORTER_NO_REPORT=1
export MOZ_CRASHREPORTER_DISABLE=1


Install http://bclary.com/projects/spider/spider/spider.xpi in a debug build.

firefox -spider -url 'http://es.wikia.com/' -depth 1 -start -quit > test.log 2>&1

Attach a debugger to the Firefox process and have a coffee.

You can find the crashing url in the log by finding the last Begin loading line.

I've bad the best luck reproducing on XP so far.

There have been several js::mjit::EnterMethodJIT crashes in automation on Beta/10 Windows XP and Windows 7.

http://pl.wikia.com/wiki/Wikia_Polska
http://es.wikia.com/wiki/Wikia
http://www.wikia.com/Special:CreateWiki?uselang=es
http://www.wikia.com/Special:CreateWiki?uselang=ru

Unfortunately I haven't been able to reproduce these manually locally.

Automation also found related crashes using Aurora/11, Nightly/12 on Windows 7 and Nightly/12 on Linux at http://www.wikia.com/Special:CreateWiki?uselang=es

I attempted to reproduce locally by spidering and hit a related crash at  http://es.gta.wikia.com/wiki/ on Windows XP with Beta/10.

        JSAutoResolveFlags rf(cx, RESOLVE_INFER);
=>        ok = JaegerTrampoline(cx, fp, code, stackLimit);
    }

 	08b23bff()	
>	mozjs.dll!js::mjit::EnterMethodJIT(JSContext * cx=0x09c35308, js::StackFrame * fp=0x04f90080, void * code=0x08b23b84, JS::Value * stackLimit=0x04fb0000, bool partial=true)  Line 1064 + 0x15 bytes	C++
 	mozjs.dll!CheckStackAndEnterMethodJIT(JSContext * cx=0x09c35308, js::StackFrame * fp=0x04f90080, void * code=0x08b23b84, bool partial=true)  Line 1125 + 0x19 bytes	C++
 	mozjs.dll!js::mjit::JaegerShot(JSContext * cx=0x09c35308, bool partial=true)  Line 1142 + 0x1d bytes	C++

though it is not directly reproducible. :-(

Some of the 'pseudo-stack/signatures' associated with these crashes are:

Nightly/Linux:
js::mjit::EnterMethodJIT js::StackSpace::firstUnused js::StackSpace::getStackLimit CheckStackAndEnterMethodJIT js::mjit::JaegerShot

Nightly/Windows 7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) JS::Value::isObject()

Nightly/Windows 7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) js::ContextStack::getCallFrame(JSContext*, js::MaybeReportError, js::CallArgs const&, JSFunction*, JSScript*, unsigned int*) CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)

Aurora/Windows 7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) js::ContextStack::getCallFrame(JSContext*, js::MaybeReportError, js::CallArgs const&, JSFunction*, JSScript*, unsigned int*) CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)

Beta/Windows XP|7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) js::StackSpace::firstUnused() CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)
Automation could no longer reproduce on Beta/11, Aurora/12, Nightly/13 -> WFM
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.