Closed Bug 1005646 Opened 6 years ago Closed 6 years ago

crash in js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1005590

People

(Reporter: ehoogeveen, Unassigned)

References

()

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-d659a2ed-7179-4bb3-88fc-d1af12140504.
=============================================================

I get this crash consistently when going to any channel page on www.twitch.tv using today's Nightly. Other crash comments mention abcnews.com. It happens using a fresh profile with all plugins disabled. Setting javascript.options.ion to false fixes the crash.

I narrowed the range down on inbound:

Last Good:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb50d61e7777
First Bad:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2fbc044027e6
Regression Range:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=bb50d61e7777&tochange=2fbc044027e6

bz, which of these do you think is responsible?
Flags: needinfo?(bzbarsky)
Duplicate of this bug: 1005665
I've confirmed locally that this crash happens after applying the patch from bug 1004198, so setting this as blocking that bug. I'm also adding the crash signature from duplicate bug 1005665.
Blocks: 1004198
Crash Signature: [@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)] → [@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)] [@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
http://travis-ci.org/ is another site that crashes constantly.
Pretty sure this is because an |OutOfLineTestObject| can be created and added (i.e. |addOutOfLineCode|) in |visitTestVAndBranch| without it being fully initialized by |testObjectEmulatesUndefinedKernel|, since bz's patch added some early return logic to |TestValueTruthyKernel| here: http://dxr.mozilla.org/mozilla-central/source/js/src/jit/CodeGenerator.cpp?from=testvaluetruthykernel#536
I'd assume this is a duplicate of bug 1005590.

For what it's worth, the scenario of comment 5 can't happen with visitTestVAndBranch, but can happen with visitNotV (and sadly that wasn't caught by our test suite, unlike visitTestVAndBranch).
Depends on: 1005590
Flags: needinfo?(bzbarsky)
I've confirmed that the fix for bug 1005590 fixes this.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1005590
I'm still getting this bug (https://crash-stats.mozilla.com/report/index/ad598f68-75e4-415b-9ace-4fbcc2140505) on https://anki.studypact.com/ upon sign-in (unfortunately, requires an account/CC# to reproduce).
Are you using a current tip inbound build?  I checked in the patch for bug 1005590 less than two hours ago.
05.05.14 Firefox 32.0a1 Crash Report [@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*) ]
https://crash-stats.mozilla.com/report/index/c26e61d2-ff14-48ec-ac7c-df3fd2140505
site: www.aliexpress.com
That build obviously can't have the patch, since its timestamped two hours before the patch was checked in.
Duplicate of this bug: 1006076
Duplicate of this bug: 1005794
Parent bug is protected, I'm still seeing this in today's Nightly.
Flags: needinfo?(bzbarsky)
Kyle, what's the build id of the build you're seeing this in?
Flags: needinfo?(bzbarsky)
Flags: needinfo?(kyle.leet)
And in particular, would that build be built from a revision that's a descendant of https://hg.mozilla.org/mozilla-central/rev/fbe9c7cc085d ?  I can check that given the hg changeset ID from about:buildconfig.
(In reply to Boris Zbarsky [:bz] from comment #15)
> And in particular, would that build be built from a revision that's a
> descendant of https://hg.mozilla.org/mozilla-central/rev/fbe9c7cc085d ?  I
> can check that given the hg changeset ID from about:buildconfig.

https://crash-stats.mozilla.com/report/index/392d1946-5edd-4c07-ae78-836f12140506
Flags: needinfo?(kyle.leet)
OK, that should have my patch for sure.  What site are you seeing the crash on?
In particular, I'm not seeing a crash on http://www.twitch.tv/test/ locally...
Flags: needinfo?(kyle.leet)
(In reply to Boris Zbarsky [:bz] from comment #18)
> OK, that should have my patch for sure.  What site are you seeing the crash
> on?
No reliable case. The crash happened when I changed tabs; though.

Other crashes https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=3&signature=js%3A%3Ajit%3A%3AAssemblerX86Shared%3A%3Aj%28js%3A%3Ajit%3A%3AAssemblerX86Shared%3A%3ACondition%2C+js%3A%3Ajit%3A%3ALabel*%29#tab-comments

Seem to suggest Twitch, presumably that's what your cset fixed? People on the same build as me alibaba.com , aliexpress.com. Can we reopen this bug, or make the parent not protected?
Flags: needinfo?(bzbarsky)
I asked whether we can open up bug 1005590.

That said, I just looked again and the crash report linked in comment 16 is from a build with timestamp 20140505030202, which is before the fix for bug 1005590 was checked in, and not matching the revision id in comment 17.

Looking at the other crashes with this signature and sorting by build timestamp, all of them are with 20140505030202 or earlier.
Flags: needinfo?(bzbarsky)
Checked with NTT and indeed I'm no longer on 20140505030202, presumably the update was silent after I crashed? Anyways, yeah, this is all old; sorry.

Any idea how I can check my version string without installing Nightly Tester Tools? It doesn't appear that it's printed on any about: pages.
Flags: needinfo?(kyle.leet)
The Firefox about dialog shows things like "32.0a1 (2014-05-03)".

But usually just the changeset id is the most useful thing...
FWIW, you can find the build ID by going to about:healthreport and looking at the raw data, it's in the first section of that raw data and called appBuildID.
You need to log in before you can comment on or make changes to this bug.