721345 - crash js::ContextStack::popInvokeArgs, Browser Crashes when close a tab(heavy script site)

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Alice0775 White]

Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/0d5ad6a6f814
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120125 Firefox/12.0a1 ID:20120125064912


Nightly12.0a1 bp-6fd9285c-1804-4f0f-9b8c-542712120126
Aurora 11.0a2 bp-673982b6-6213-43c9-b8e4-adf622120126
Beta10.0      bp-51287043-62ac-404d-a491-a0bda2120126
Firefox9.0.1  bp-06cc970c-f93a-49e2-8c4b-3e72c2120126
Firefox8.0    bp-84118e5b-5d2e-4883-b36c-2723b2120126


Browser Crashes when close a tab.

*Crashes on Firefox8.0 to Nightly12.0a2.
*Firefox7 STR Cannot run.


STR (slow PC is required)
1. Open more than 2 tab and https://developer.mozilla.org/en-US/demos/detail/javascript-ray-tracer
2. Click "LAUNCH DEMO" red button
3. Click "single_light" (at 2nd row/5th column)
4. Click "Ray Trace!" blue button
5. Close this tab(ctrl+W),  just before slow script dialog pops up (13-18second)
6. Wait until the tab is completely closed
7. Slow script dialog will pops up, Click "Stop script"
8. Repeat step3 to step7 if browser does not crash.

Actual result
  Browser crashes w/ crash report

Comment 1

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

Looks js-y, punting it over.

Comment 2

[Alice0775 White]

Can not run STR
http://hg.mozilla.org/integration/mozilla-inbound/rev/22b20e5dcdce
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0a1) Gecko/20110725 Firefox/8.0a1 ID:20110725152331
Crashes w/ STR
http://hg.mozilla.org/integration/mozilla-inbound/rev/e385a9429c3a
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0a1) Gecko/20110725 Firefox/8.0a1 ID:20110725185810

Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=22b20e5dcdce&tochange=e385a9429c3a

Triggered by:
f631e1b0e296	Ben Turner — Bug 649537 - 'Workers: Make one OS thread and JS runtime per worker, and lose XPConnect'. r=sicking+mrbkap. * * * Bug 649537 - 'Workers: Make one OS thread and JS runtime per worker, and lose XPConnect'. r=sicking+mrbkap. Add workaround for bug 666963.

Comment 3

[Ben Turner (not reading bugmail, use the needinfo flag!)]

Even so, I think this looks like a JS bug. Needs some investigation by a JS peer.

Comment 4

[Alice0775 White]

Sorry BuildId in comment #0 is
http://hg.mozilla.org/mozilla-central/rev/005488525c43
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120125 Firefox/12.0a1 ID:20120125031119


And it seemed to be fixed.
I cannot reproduce anymore on
http://hg.mozilla.org/mozilla-central/rev/0d5ad6a6f814
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120125 Firefox/12.0a1 ID:20120125064912

And this is seems to be duplication of Bug 714639.

Fixed window(m-c):
Reproduce:
http://hg.mozilla.org/mozilla-central/rev/03ae304e45af
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120125 Firefox/12.0a1 ID:20120125052451
Cannot reproduce:
http://hg.mozilla.org/mozilla-central/rev/0d5ad6a6f814
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120125 Firefox/12.0a1 ID:20120125064912
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=03ae304e45af&tochange=0d5ad6a6f814


Fixed window(m-i):
Reproduce:
http://hg.mozilla.org/integration/mozilla-inbound/rev/040975f3210a
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120124 Firefox/12.0a1 ID:20120124102247
Cannot reproduce:
http://hg.mozilla.org/integration/mozilla-inbound/rev/79deba022227
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20120124 Firefox/12.0a1 ID:20120124104951
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=040975f3210a&tochange=79deba022227

Fixed by:
79deba022227	Luke Wagner — Bug 675078 - rm JSThreadData and JSThread (JSRuntime is now officially single-threaded) (r=igor)