Closed Bug 1005646 Opened 6 years ago Closed 6 years ago
crash in js::jit::Assembler
X86Shared::j Src(js::jit::Assembler X86Shared::Condition, js::jit::Label*)
I've confirmed locally that this crash happens after applying the patch from bug 1004198, so setting this as blocking that bug. I'm also adding the crash signature from duplicate bug 1005665.
Crash Signature: [@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)] → [@ js::jit::AssemblerX86Shared::jSrc(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)] [@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*)]
http://travis-ci.org/ is another site that crashes constantly.
Pretty sure this is because an |OutOfLineTestObject| can be created and added (i.e. |addOutOfLineCode|) in |visitTestVAndBranch| without it being fully initialized by |testObjectEmulatesUndefinedKernel|, since bz's patch added some early return logic to |TestValueTruthyKernel| here: http://dxr.mozilla.org/mozilla-central/source/js/src/jit/CodeGenerator.cpp?from=testvaluetruthykernel#536
I'd assume this is a duplicate of bug 1005590. For what it's worth, the scenario of comment 5 can't happen with visitTestVAndBranch, but can happen with visitNotV (and sadly that wasn't caught by our test suite, unlike visitTestVAndBranch).
Depends on: 1005590
I've confirmed that the fix for bug 1005590 fixes this.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1005590
I'm still getting this bug (https://crash-stats.mozilla.com/report/index/ad598f68-75e4-415b-9ace-4fbcc2140505) on https://anki.studypact.com/ upon sign-in (unfortunately, requires an account/CC# to reproduce).
Are you using a current tip inbound build? I checked in the patch for bug 1005590 less than two hours ago.
05.05.14 Firefox 32.0a1 Crash Report [@ js::jit::AssemblerX86Shared::j(js::jit::AssemblerX86Shared::Condition, js::jit::Label*) ] https://crash-stats.mozilla.com/report/index/c26e61d2-ff14-48ec-ac7c-df3fd2140505 site: www.aliexpress.com
That build obviously can't have the patch, since its timestamped two hours before the patch was checked in.
Parent bug is protected, I'm still seeing this in today's Nightly.
Kyle, what's the build id of the build you're seeing this in?
And in particular, would that build be built from a revision that's a descendant of https://hg.mozilla.org/mozilla-central/rev/fbe9c7cc085d ? I can check that given the hg changeset ID from about:buildconfig.
(In reply to Boris Zbarsky [:bz] from comment #15) > And in particular, would that build be built from a revision that's a > descendant of https://hg.mozilla.org/mozilla-central/rev/fbe9c7cc085d ? I > can check that given the hg changeset ID from about:buildconfig. https://crash-stats.mozilla.com/report/index/392d1946-5edd-4c07-ae78-836f12140506
OK, that should have my patch for sure. What site are you seeing the crash on?
In particular, I'm not seeing a crash on http://www.twitch.tv/test/ locally...
(In reply to Boris Zbarsky [:bz] from comment #18) > OK, that should have my patch for sure. What site are you seeing the crash > on? No reliable case. The crash happened when I changed tabs; though. Other crashes https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=3&signature=js%3A%3Ajit%3A%3AAssemblerX86Shared%3A%3Aj%28js%3A%3Ajit%3A%3AAssemblerX86Shared%3A%3ACondition%2C+js%3A%3Ajit%3A%3ALabel*%29#tab-comments Seem to suggest Twitch, presumably that's what your cset fixed? People on the same build as me alibaba.com , aliexpress.com. Can we reopen this bug, or make the parent not protected?
I asked whether we can open up bug 1005590. That said, I just looked again and the crash report linked in comment 16 is from a build with timestamp 20140505030202, which is before the fix for bug 1005590 was checked in, and not matching the revision id in comment 17. Looking at the other crashes with this signature and sorting by build timestamp, all of them are with 20140505030202 or earlier.
Checked with NTT and indeed I'm no longer on 20140505030202, presumably the update was silent after I crashed? Anyways, yeah, this is all old; sorry. Any idea how I can check my version string without installing Nightly Tester Tools? It doesn't appear that it's printed on any about: pages.
The Firefox about dialog shows things like "32.0a1 (2014-05-03)". But usually just the changeset id is the most useful thing...
FWIW, you can find the build ID by going to about:healthreport and looking at the raw data, it's in the first section of that raw data and called appBuildID.
You need to log in before you can comment on or make changes to this bug.