Closed Bug 267797 Opened 21 years ago Closed 21 years ago

FF10RC1 crash with gmail.com [@ js_Interpret c8839217]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jay, Assigned: brendan)

Details

(5 keywords)

Crash Data

Attachments

(1 file)

Add more SAVE_SP(fp) calls before OBJ_* call-outs
8.42 KB, patch
shaver
: review+
asa
: approval-aviary+
asa
: approval1.7.5+
Details | Diff | Splinter Review
There are a good number of these crashes in Firefox 1.0 RC1 for gmail users. Here's the latest from Talkback: Count Offset Real Signature [ 46 js_Interpret c8839217 - js_Interpret ] Crash date range: 01-NOV-04 to 31-OCT-04 Min/Max Seconds since last crash: 10 - 360048 Min/Max Runtime: 11 - 372710 Count Platform List 46 Windows XP [Windows NT 5.1 build 2600] Count Build Id List 46 2004102622 No of Unique Users 22 Stack trace(Frame) js_Interpret [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 2865] js_Execute [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1162] JS_EvaluateUCScriptForPrincipals [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c line 3649] nsJSContext::EvaluateString [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp line 946] nsScriptLoader::EvaluateScript [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp line 668] nsScriptLoader::ProcessRequest [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp line 581] nsScriptLoader::ProcessScriptElement [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsScriptLoader.cpp line 527] nsHTMLScriptElement::MaybeProcessScript [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp line 656] nsHTMLScriptElement::SetDocument [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp line 469] HTMLContentSink::ProcessSCRIPTTag [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp line 4341] HTMLContentSink::AddLeaf [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp line 3195] HTMLContentSink::AddHeadContent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp line 3146] CNavDTD::AddHeadLeaf [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 3839] CNavDTD::HandleStartToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 1832] CNavDTD::HandleToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 1019] CNavDTD::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/CNavDTD.cpp line 511] nsParser::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/htmlparser/src/nsParser.cpp line 2004] (1627002) URL: www.gmail.com (1621500) URL: www.gmail.com (1610025) URL: http://www.gamearena.com.au/ (1610025) Comments: I had just opened firefox and opened my six favourite webpages with the "Open in tabs" option and it crashed to desktop when I started looking at each webpage. (1608536) URL: www.gmail.com (1608532) URL: www.gmail.com (1608525) URL: www.gmail.com (1608521) URL: www.gmail.com (1607539) URL: https://gmail.google.com.br/gmail (1605209) URL: www.gmail.com (1602706) URL: www.gmail.com (1602128) URL: www.gmail.com (1598423) URL: www.gmail.com (1596267) URL: www.gmail.com (1594765) URL: http://gmail.google.com/ (1594716) URL: http://gmail.google.com/ (1593034) URL: www.gmail.com (1588653) URL: http://gmail.google.com/gmail (1588653) Comments: opening a new tab. (1579506) URL: www.gmail.com (1577615) URL: www.gmail.com (1573714) URL: www.gmail.com (1572604) URL: http://gmail.google.com (1572604) Comments: Logging in to Gmail. Not sure if this is related, but bug 244178 might be worth a quick look. I have been using gmail with recent Aviary builds and have not been able to reproduce. Not much info in comments to work with, so maybe the stack can provide a clue?
Need to get some brains on this for 1.0. /be
Flags: blocking-aviary1.0?
This may help fix some top-crash bugs; it can't hurt (we could SAVE_SP(fp) at the top of the interpreter loop body and protect all cases, but that would hurt perf and waste all the effort to keep sp in a "register" [which is pretty much wasted on x86 anyway]). /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Comment on attachment 164790 [details] [diff] [review] Add more SAVE_SP(fp) calls before OBJ_* call-outs Looks good (and v. safe -- at worst, harmless) to me. r=shaver.
Attachment #164790 - Flags: review+
This is good for the branches. /be
Keywords: js1.5
Comment on attachment 164790 [details] [diff] [review] Add more SAVE_SP(fp) calls before OBJ_* call-outs I'll let someone else mark approvals. /be
Attachment #164790 - Flags: approval1.7.x?
Attachment #164790 - Flags: approval-aviary?
Comment on attachment 164790 [details] [diff] [review] Add more SAVE_SP(fp) calls before OBJ_* call-outs a=asa for checkin to the branches.
Attachment #164790 - Flags: approval1.7.x?
Attachment #164790 - Flags: approval1.7.x+
Attachment #164790 - Flags: approval-aviary?
Attachment #164790 - Flags: approval-aviary+
Fixed everywhere. /be
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Keywords: fixed-aviary1.0, fixed1.7.x
Resolution: --- → FIXED
Flags: testcase-
Crash Signature: [@ js_Interpret c8839217]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: