Closed
Bug 1166277
Opened 10 years ago
Closed 10 years ago
Crash [@ js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::WholeCellEdges>::trace(js::gc::StoreBuffer*, js::TenuringTracer&) ]
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
VERIFIED
FIXED
mozilla41
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | unaffected |
| firefox41 | + | verified |
People
(Reporter: robin, Assigned: bhackett1024)
References
Details
(Keywords: crash, crashreportid, regression)
Crash Data
Attachments
(1 file)
|
1.37 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20150519030202
Steps to reproduce:
Visited Google Maps, searched for ‘Maldives’, zoomed one level
Actual results:
Bang.
Expected results:
No bang. Example crash log: https://crash-stats.mozilla.com/report/index/c520bd6a-8af1-4d5a-914b-b7fa32150519
I’m on a MacBook Air with ‘Intel HD Graphics 5000 1536 MB’ if it’s a WebGL problem. There don’t seem to be any other reports, but it happened to me twice in quick succession.
|
Reporter | |
Updated•10 years ago
|
Severity: normal → critical
Crash Signature: js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::WholeCellEdges>::trace(js::gc::StoreBuffer*, js::TenuringTracer&)
Component: Untriaged → JavaScript: GC
Product: Firefox → Core
|
||
Comment 1•10 years ago
|
||
Could reproduce after loading a few tabs very quickly, searching for "maldives", zooming in and out, and then switching to a GMail tab.
bp-4ce6df97-9582-4775-90c2-074f12150519
bp-d9dbf443-f532-4252-b492-0bcc32150519
bp-e259b5f7-2951-4d0a-867d-c317d2150519
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 2•10 years ago
|
||
(note that the first crash also shows js::UnboxedPlainObject::create in the backtrace, and the latest nightly has unboxed objects by default)
|
Assignee | |
Comment 3•10 years ago
|
||
I think this will fix the problem. Ion was triggering post barriers for boxed objects instead of actual object pointers, because of a bug in the code which adds post barriers for writes to object properties of unboxed and typed objects.
Assignee: nobody → bhackett1024
Attachment #8607592 -
Flags: review?(jdemooij)
|
||
Updated•10 years ago
|
Attachment #8607592 -
Flags: review?(jdemooij) → review+
|
||
Comment 5•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Just updating the keywords based on the duped bug.
Keywords: crash,
regression
|
||
Updated•10 years ago
|
Crash Signature: js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::WholeCellEdges>::trace(js::gc::StoreBuffer*, js::TenuringTracer&) → [@ js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::WholeCellEdges>::trace(js::gc::StoreBuffer*, js::TenuringTracer&)]
status-firefox40:
--- → unaffected
Keywords: crashreportid
|
||
Updated•10 years ago
|
Crash Signature: [@ js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::WholeCellEdges>::trace(js::gc::StoreBuffer*, js::TenuringTracer&)] → [@ js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::WholeCellEdges>::trace(js::gc::StoreBuffer*, js::TenuringTracer&)]
[@ js::gc::GetGCThingTraceKind(void const*) ]
Benjamin, could you please confirm whether this bug is fixed in the latest nightly build or not? Adding a tracking flag for FF41 to ensure QE team verifies the fix.
tracking-firefox41:
--- → +
Flags: needinfo?(benj)
|
|
||
Comment 11•9 years ago
|
||
I can't reproduce the crash I was seeing on google maps with the latest nightly, so that looks fixed.
Flags: needinfo?(benj)
|
||
Comment 12•9 years ago
|
||
Thanks for the help, Benjamin. Marking this verified fixed based on Benjamin's result in comment 11.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•