Closed
Bug 451969
Opened 16 years ago
Closed 16 years ago
TM: Crash on www.chip.de [@ js_EqualStrings]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mcsmurf, Unassigned)
References
()
Details
(Keywords: crash)
Crash Data
To reproduce: 0. Enable TM via javascript.options.jit.content 1. Go to http://www.chip.de Results: Crash Stacktrace: 0:000> kp ChildEBP RetAddr 0012f7f8 00452077 js3250!js_EqualStrings(struct JSString * str1 = 0x170d9570, struct JSString * str2 = 0x00001d48)+0xf1 [f:\mozilla\tree-hg\src\mozilla\js\src\jsstr.cpp @ 2845] 0012f8c4 0044ee06 js3250!js_Interpret(struct JSContext * cx = 0x09fc2840)+0x29e7 [f:\mozilla\tree-hg\src\mozilla\js\src\jsinterp.cpp @ 3621] 0012f94c 00427541 js3250!js_Execute(struct JSContext * cx = 0x170dcb80, struct JSObject * chain = 0x03d70ae0, struct JSScript * script = 0x0a98b8b8, struct JSStackFrame * down = 0x00000000, unsigned int flags = 0, long * result = 0x00000000)+0x1d6 [f:\mozilla\tree-hg\src\mozilla\js\src\jsinterp.cpp @ 1550] *** WARNING: Unable to verify checksum for F:\mozilla\tree-hg\obj-suite\mozilla\dist\bin\components\gklayout.dll 0012f978 01c422a9 js3250!JS_EvaluateUCScriptForPrincipals(struct JSContext * cx = 0x09fc2840, struct JSObject * obj = 0x03d70ae0, struct JSPrincipals * principals = 0x093d2344, unsigned short * chars = 0x17344070, unsigned int length = 0x58e4, char * filename = 0x0b2fbf58 "http://www.chip.de/js/omniture_somtr_code.js?version=H.15.1.20080603", unsigned int lineno = 1, long * rval = 0x00000000)+0x61 [f:\mozilla\tree-hg\src\mozilla\js\src\jsapi.cpp @ 5054] 0012f9ec 01b93127 gklayout!nsJSContext::EvaluateString(class nsAString_internal * aScript = 0x095fd5f0, void * aScopeObject = 0x03d70ae0, class nsIPrincipal * aPrincipal = 0x093d2340, char * aURL = 0x0b2fbf58 "http://www.chip.de/js/omniture_somtr_code.js?version=H.15.1.20080603", unsigned int aLineNo = 1, unsigned int aVersion = 0, class nsAString_internal * aRetValue = 0x00000000, int * aIsUndefined = 0x0012fa20)+0x194 [f:\mozilla\tree-hg\src\mozilla\dom\src\base\nsjsenvironment.cpp @ 1540] 0012fa9c 01b935a9 gklayout!nsScriptLoader::EvaluateScript(class nsScriptLoadRequest * aRequest = 0x095fd5e0, class nsString * aScript = 0x095fd5f0)+0x175 [f:\mozilla\tree-hg\src\mozilla\content\base\src\nsscriptloader.cpp @ 597] 0012fb50 01b9398d gklayout!nsScriptLoader::ProcessRequest(class nsScriptLoadRequest * aRequest = 0x095fd5e0)+0x70 [f:\mozilla\tree-hg\src\mozilla\content\base\src\nsscriptloader.cpp @ 504] 0012fb70 01b93a3e gklayout!nsScriptLoader::ProcessPendingRequests(void)+0x43 [f:\mozilla\tree-hg\src\mozilla\content\base\src\nsscriptloader.cpp @ 654] [...]
Comment 1•16 years ago
|
||
At the given URI http://www.chip.de I got a slightly different Crash signature: [@ TraceRecorder::record_JSOP_GETARGPROP() ] Two Crash-Reporter IDs: ID: bp-71bda280-7202-11dd-b1f2-0013211cbf8a ID: bp-8abd7170-7205-11dd-bf91-001a4bd43ef6 with JIT content enabled. Different Bug, or not?
URL: http://www.chip.de/
Comment 2•16 years ago
|
||
(In reply to comment #1) > At the given URI http://www.chip.de I got a slightly different Crash signature: > [@ TraceRecorder::record_JSOP_GETARGPROP() ] > > Two Crash-Reporter IDs: > ID: bp-71bda280-7202-11dd-b1f2-0013211cbf8a > ID: bp-8abd7170-7205-11dd-bf91-001a4bd43ef6 > > with JIT content enabled. Different Bug, or not? Different bug is best. We can dup or mark dependent if symptoms turn out to be due to same underlying cause. Until we know, symptom per bug is good practice. If we have strong reason to believe two symptoms have the same cause, even if we don't quite have a fix (IOW, we have a diagnosis), then one bug for both is ok. /be
Comment 3•16 years ago
|
||
(In reply to comment #2) > (In reply to comment #1) > > At the given URI http://www.chip.de I got a slightly different Crash signature: > > [@ TraceRecorder::record_JSOP_GETARGPROP() ] > Different bug is best. Done: See Bug 451977
Comment 4•16 years ago
|
||
dupe of bug 451873?
Comment 5•16 years ago
|
||
(In reply to comment #4) > dupe of bug 451873? Not if that bug, or bug 451900, has a null JSString* actual parameter to js_EqualStrings, while this bug has both args non-null. /be
we hit something in linux-arm where gdb claims one of the two jsstring*s is null, but afaict that's just the optimizer recycling a register and the debugging information not being detailed enough for the debugger to follow. (we actually hit it a lot)
Comment 7•16 years ago
|
||
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080903034741 Minefield/3.1b1pre older report: Firefox 3.1a2pre Crash Report [@ nanojit::LirReader::read() ] http://crash-stats.mozilla.com/report/index/4876f6dc-73ff-11dd-a2f6-001cc4e2bf68
Comment 8•16 years ago
|
||
WFM using today's nightly with both JIT Chrome & Content enabled: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1pre) Gecko/20080904035000 Minefield/3.1b1pre Firefox/3.0 ID:20080904035000
Comment 9•16 years ago
|
||
Japp, WFM too with yesterdays and todays Nightly Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080904003653 Mnenhy/0.7.5.20005 SeaMonkey/2.0a1pre I can't reproduce the crash anymore, so this might be closed=worksforme now.
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js_EqualStrings]
You need to log in
before you can comment on or make changes to this bug.
Description
•