Crash [@ QuoteString] on the nytimes.com site

VERIFIED FIXED in mozilla1.9.1

Status

()

P1
critical
VERIFIED FIXED
11 years ago
8 years ago

People

(Reporter: martijn.martijn, Assigned: brendan)

Tracking

(4 keywords)

Trunk
mozilla1.9.1
crash, regression, testcase, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Created attachment 335204 [details]
testcase

When I have the jit prefs enabled in the latest trunk build of Firefox (javascript.options.jit.chrome and javascript.options.jit.content), then I crash on the site I pasted in the url.

http://crash-stats.mozilla.com/report/index/7c9f8e1c-7157-11dd-9678-001a4bd43ed6
0  	js3250.dll  	QuoteString  	 js/src/jsopcode.cpp:587
1 	js3250.dll 	Decompile 	js/src/jsopcode.cpp:3796
2 	js3250.dll 	DecompileCode 	js/src/jsopcode.cpp:4698
3 	js3250.dll 	DecompileExpression 	js/src/jsopcode.cpp:5090
4 	js3250.dll 	js_DecompileValueGenerator 	js/src/jsopcode.cpp:4967
5 	js3250.dll 	js_ReportValueErrorFlags 	js/src/jscntxt.cpp:1329
6 	js3250.dll 	js3250.dll@0x58732 	
7 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:4253
8 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1549
9 	js3250.dll 	js_obj_eval 	js/src/jsobj.cpp:1341
10 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1308
11 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:4963
12 	js3250.dll 	js_Execute 	js/src/jsinterp.cpp:1549
13 	js3250.dll 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:5054
14 	xul.dll 	nsJSContext::EvaluateString 	dom/src/base/nsJSEnvironment.cpp:1540
15 	xul.dll 	nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:594
16 	xul.dll 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:504
17 	xul.dll 	nsScriptLoader::ProcessScriptElement 	content/base/src/nsScriptLoader.cpp:458
18 	xul.dll 	nsContentUtils::HasNonEmptyTextContent 	content/base/src/nsContentUtils.cpp:3641
19 	xul.dll 	nsScriptElement::MaybeProcessScript 	content/base/src/nsScriptElement.cpp:188
I'm seeing this crash with one of my sessions with both JIT prefs at their default value (false). I can't tell which page in the session triggers the crash, though.
I crash with this stack every time I load Zimbra. :(
Flags: blocking1.9.1?
OS: Windows XP → All
Brendan's offered to take this. Here's a reduced testcase:

(function(k){eval("k.y")})({})
Assignee: general → brendan

Updated

11 years ago
Blocks: 452298

Updated

11 years ago
Duplicate of this bug: 452344
(Assignee)

Updated

11 years ago
Duplicate of this bug: 452298
(Assignee)

Comment 6

11 years ago
Failing reduced testcase:

(function(k){eval("k.y")})()

/be
Status: NEW → ASSIGNED
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1
(Assignee)

Comment 7

11 years ago
Created attachment 335680 [details] [diff] [review]
fix
Attachment #335680 - Flags: review?(mrbkap)
Attachment #335680 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 9

11 years ago
Fixed on mozilla-central:

http://hg.mozilla.org/mozilla-central/index.cgi/rev/61ee5bbbe005

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Updated

11 years ago
Blocks: 445262
No longer blocks: 452298
Keywords: regression

Comment 10

11 years ago
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-451884.js,v  <--  regress-451884.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/3ae03411eae7
Flags: in-testsuite+
Flags: in-litmus-

Updated

10 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
rv:1.9.1b3pre) Gecko/20090122 Shiretoko/3.1b3pre 
and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090122 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Crash Signature: [@ QuoteString]
You need to log in before you can comment on or make changes to this bug.