There are a good number of these crashes in Firefox 1.0 RC1 for gmail users. Here's the latest from Talkback: Count Offset Real Signature [ 46 js_Interpret c8839217 - js_Interpret ] Crash date range: 01-NOV-04 to 31-OCT-04 Min/Max Seconds since last crash: 10 - 360048 Min/Max Runtime: 11 - 372710 Count Platform List 46 Windows XP [Windows NT 5.1 build 2600] Count Build Id List 46 2004102622 No of Unique Users 22 Stack trace(Frame) js_Interpret [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 2865] js_Execute [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1162] JS_EvaluateUCScriptForPrincipals [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c line 3649] nsJSContext::EvaluateString [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp line 946] nsScriptLoader::EvaluateScript [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp line 668] nsScriptLoader::ProcessRequest [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp line 581] nsScriptLoader::ProcessScriptElement [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp line 527] nsHTMLScriptElement::MaybeProcessScript [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp line 656] nsHTMLScriptElement::SetDocument [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp line 469] HTMLContentSink::ProcessSCRIPTTag [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp line 4341] HTMLContentSink::AddLeaf [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp line 3195] HTMLContentSink::AddHeadContent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp line 3146] CNavDTD::AddHeadLeaf [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 3839] CNavDTD::HandleStartToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 1832] CNavDTD::HandleToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 1019] CNavDTD::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 511] nsParser::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/nsParser.cpp line 2004] (1627002) URL: www.gmail.com (1621500) URL: www.gmail.com (1610025) URL: http://www.gamearena.com.au/ (1610025) Comments: I had just opened firefox and opened my six favourite webpages with the "Open in tabs" option and it crashed to desktop when I started looking at each webpage. (1608536) URL: www.gmail.com (1608532) URL: www.gmail.com (1608525) URL: www.gmail.com (1608521) URL: www.gmail.com (1607539) URL: https://gmail.google.com.br/gmail (1605209) URL: www.gmail.com (1602706) URL: www.gmail.com (1602128) URL: www.gmail.com (1598423) URL: www.gmail.com (1596267) URL: www.gmail.com (1594765) URL: http://gmail.google.com/ (1594716) URL: http://gmail.google.com/ (1593034) URL: www.gmail.com (1588653) URL: http://gmail.google.com/gmail (1588653) Comments: opening a new tab. (1579506) URL: www.gmail.com (1577615) URL: www.gmail.com (1573714) URL: www.gmail.com (1572604) URL: http://gmail.google.com (1572604) Comments: Logging in to Gmail. Not sure if this is related, but bug 244178 might be worth a quick look. I have been using gmail with recent Aviary builds and have not been able to reproduce. Not much info in comments to work with, so maybe the stack can provide a clue?
Need to get some brains on this for 1.0. /be
Created attachment 164790 [details] [diff] [review] Add more SAVE_SP(fp) calls before OBJ_* call-outs This may help fix some top-crash bugs; it can't hurt (we could SAVE_SP(fp) at the top of the interpreter loop body and protect all cases, but that would hurt perf and waste all the effort to keep sp in a "register" [which is pretty much wasted on x86 anyway]). /be
Comment on attachment 164790 [details] [diff] [review] Add more SAVE_SP(fp) calls before OBJ_* call-outs Looks good (and v. safe -- at worst, harmless) to me. r=shaver.
This is good for the branches. /be
Comment on attachment 164790 [details] [diff] [review] Add more SAVE_SP(fp) calls before OBJ_* call-outs I'll let someone else mark approvals. /be
Comment on attachment 164790 [details] [diff] [review] Add more SAVE_SP(fp) calls before OBJ_* call-outs a=asa for checkin to the branches.
Fixed everywhere. /be
or
