Closed
Bug 454942
Opened 16 years ago
Closed 16 years ago
TM: After enabling the new JIT support and browsing an ext.js based site, Firefox 3.1 crashes [@ nanojit::LIns::isop]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mark, Assigned: jimb)
References
()
Details
(Keywords: crash)
Crash Data
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b1pre) Gecko/20080911020347 Minefield/3.1b1pre Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b1pre) Gecko/20080911020347 Minefield/3.1b1pre After enabling the new JIT support from about:config, and browsing to an ext.js based application/site (such as the extjs.com example mentioned in this ticket) Firefox 3.1 immediately crashes. Reproducible: Always Steps to Reproduce: 1. Enabled JIT from about:config 2. Browse to http://extjs.com/deploy/dev/examples/feed-viewer/view.html 3. Cry like a baby, and submit a bug report. Actual Results: Firefox crashes. Expected Results: The application should be rendered.
|
||
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: After enabling the new JIT support and browsing an ext.js based site, Firefox 3.1 crashes → TM: After enabling the new JIT support and browsing an ext.js based site, Firefox 3.1 crashes
|
Assignee | |
Comment 2•16 years ago
|
||
I've been able to reproduce this with M-C changeset f76419292bfd, although it takes a bit of fiddling (visiting the page again; opening the history side pane, selecting the page, closing the history pane).
Just loading the page using build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080915032512 Minefield/3.1b1pre http://crash-stats.mozilla.com/report/index/5f438a68-833f-11dd-a41f-001cc45a2c28?p=1
Signature nanojit::LIns::isop(nanojit::LOpcode) UUID 5f438a68-833f-11dd-a41f-001cc45a2c28 Time 2008-09-15 09:00:04-07 Uptime 715 Product Firefox Version 3.1b1pre Build ID 20080915032512 OS Windows NT OS Version 5.1.2600 Service Pack 2 CPU x86 CPU Info GenuineIntel family 15 model 2 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x0 Comments Crashing Thread Frame Module Signature Source 0 js3250.dll nanojit::LIns::isop js/src/nanojit/LIR.h:343 1 js3250.dll isi2f js/src/jstracer.cpp:290 2 js3250.dll isPromoteInt js/src/jstracer.cpp:353 3 js3250.dll TraceRecorder::writeBack js/src/jstracer.cpp:1381 4 js3250.dll TraceRecorder::set js/src/jstracer.cpp:1411 5 js3250.dll TraceRecorder::record_JSOP_CALL js/src/jstracer.cpp:4811 6 js3250.dll js3250.dll@0x66992 7 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 8 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 9 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 10 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 11 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 12 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 13 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 14 js3250.dll fun_call js/src/jsfun.cpp:1642 15 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 16 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 17 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 18 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 19 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 20 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 21 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 22 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 23 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 24 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 25 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 26 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 27 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 28 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 29 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 30 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 31 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 32 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 33 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 34 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 35 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 36 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 37 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 38 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 39 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 40 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 41 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 42 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 43 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 44 js3250.dll js_fun_apply js/src/jsfun.cpp:1731 45 js3250.dll js_Interpret js/src/jsinterp.cpp:4960 46 js3250.dll js_Invoke js/src/jsinterp.cpp:1324 47 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1523 48 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:565 49 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 50 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 51 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1080
Component: General → JavaScript Engine
Keywords: stackwanted
Product: Firefox → Core
QA Contact: general → general
Summary: TM: After enabling the new JIT support and browsing an ext.js based site, Firefox 3.1 crashes → TM: After enabling the new JIT support and browsing an ext.js based site, Firefox 3.1 crashes [@ nanojit::LIns::isop]
Version: unspecified → Trunk
|
|
Assignee | |
Comment 5•16 years ago
|
||
As of Sep 22 10:58 -0500 (427a44cf7ccd), I'm unable to make this crash any more. Could the original reporter verify and close if he agrees?
|
||
Comment 6•16 years ago
|
||
This probably argc > nargs which David fixed recently.
|
Reporter | |
Comment 7•16 years ago
|
||
Using the latest available nightly (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b1pre) Gecko/20080922020442 Minefield/3.1b1pre) I still see Firefox crashing when enabling the JIT, the crash log/report for this is: http://crash-stats.mozilla.com/report/index/88897f94-88f7-11dd-9ecc-0013211cbf8a?p=1
|
|
||
Comment 8•16 years ago
|
||
Mark: sorry for confusion, Jim and Andreas are talking about tracemonkey builds, not mozilla-central builds. We will update mozilla-central today. /be
|
|
Reporter | |
Comment 9•16 years ago
|
||
After downloading the latest trace-monkey build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-tracemonkey/firefox-3.1b1pre.en-US.linux-i686.tar.bz2 [ Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b1pre) Gecko/20080922020927 Minefield/3.1b1pre ] I still saw the crash after enabling the JIT: http://crash-stats.mozilla.com/report/index/f4ba0e9e-88fa-11dd-84db-001cc4e2bf68?p=1
|
|
||
Updated•16 years ago
|
Assignee: nobody → brendan
Status: NEW → ASSIGNED
|
|
||
Comment 10•16 years ago
|
||
Jim, could you please work with Mark to reproduce and diagnose? Thanks, /be
Assignee: brendan → jim
|
|
||
Comment 11•16 years ago
|
||
Confirmed. Just saw the crash.
|
|
Assignee | |
Comment 12•16 years ago
|
||
Will do.
|
|
||
Comment 13•16 years ago
|
||
This might be the globalObj->dslots reallocation issue we are debugging at the moment in Zimbra. I will retest once we have that fixed.
|
|
||
Comment 14•16 years ago
|
||
I can't reproduce it any more with TM tip. If you still see the bug with the most recent tinderbox build of tracemonkey (ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/tracemonkey-linux), please re-open. http://hg.mozilla.org/tracemonkey/rev/e8d1e82b64be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 15•16 years ago
|
||
I've not tried compiling from tip, but I just downloaded ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/tracemonkey-linux/1222201978/firefox-3.1b1pre.en-US.linux-i686.tar.bz2 and still crashed: http://crash-stats.mozilla.com/report/index/1498da6b-89b7-11dd-a03c-001cc45a2ce4?p=1 I see there's now a newer build since I downloaded so will try that as well.
|
|
Reporter | |
Comment 16•16 years ago
|
||
No such joy - http://crash-stats.mozilla.com/report/index/d52cd135-89b7-11dd-adc9-001321b13766?p=1
|
|
||
Comment 17•16 years ago
|
||
We just fixed this a few minutes ago so the tinderboxes should pick this up and produce builds "soon".
|
|
||
Comment 18•16 years ago
|
||
Lets reopen this until you can confirm that its fixed.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
|
|
Reporter | |
Comment 19•16 years ago
|
||
Using the new tinderbox build from ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/tracemonkey-linux/1222212132/firefox-3.1b1pre.en-US.linux-i686.tar.bz2 I still crashed loading the URL above: http://crash-stats.mozilla.com/report/index/845a03a1-89d1-11dd-879d-001321b13766?p=1
|
|
Assignee | |
Comment 20•16 years ago
|
||
Reproduced on tm trunk 2fa92f95eaaf (Wed 13:12 -0700). Helps to click on "Reading Pane"?
Is bug 455625 a dupe of this? If so I can reproduce it, the underlying crash is bug 456494.
|
|
Reporter | |
Comment 22•16 years ago
|
||
For me - the crash occurs on initial load, so I don't even get a chance to click on 'reading pane'. bug 455625 sounds very dupe-like (from a user point of view at least).
|
|
||
Comment 24•16 years ago
|
||
Jim, we think this tracemonkey commit fixed this bug among others: http://hg.mozilla.org/tracemonkey/rev/487cb5edf3c8 Could you verify and if so, close this bug? David sees another crash on the bug URL, which should be filed if it's not already, but we'd like to get past this one. Thanks, /be
|
|
Reporter | |
Comment 25•16 years ago
|
||
Not sure if this crash is related, but with the latest 3.1 nightly build, WITHOUT the JIT enabled, clicking through my ext.js based app crashed firefox: http://crash-stats.mozilla.com/report/index/9bf804cf-8aa0-11dd-bb9b-0013211cbf8a?p=1
|
||
Comment 26•16 years ago
|
||
WFM (including clicking Reading Pane part) using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Minefield/3.1b1pre
|
|
||
Comment 27•16 years ago
|
||
(In reply to comment #25) > Not sure if this crash is related, but with the latest 3.1 nightly build, > WITHOUT the JIT enabled, clicking through my ext.js based app crashed firefox: > > http://crash-stats.mozilla.com/report/index/9bf804cf-8aa0-11dd-bb9b-0013211cbf8a?p=1 That's a different stack trace and you mentioned that JIT is DISABLED. You might want to file a separate bug.
|
|
Assignee | |
Comment 28•16 years ago
|
||
I also think this is fixed with the latest tm sources. Mark, feel free to re-open this bug if you disagree.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 29•16 years ago
|
||
Using the tinderbox/tracemonkey build ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/tracemonkey-linux/1222377731/firefox-3.1b1pre.en-US.linux-i686.tar.bz2 I saw the feed reader sample page load and display, which is a lot more than I initially saw (or saw with previous builds), however, Firefox still crashed momentarily after the page loaded. The crash log is: http://crash-stats.mozilla.com/report/index/86206491-8b4d-11dd-8a96-001cc45a2ce4?p=1 I suspect this may actually be a new problem? If so, I'll open a new ticket for it.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 30•16 years ago
|
||
Ok, can you please file a new bug and make sure that "TM:" is in the subject line and mark it as critical. I will pick it up. Please link it here in the comments. I will close this bug here (doesn't crash for me, just verified again, need to figure out why your config still crashes, might be a plugin interaction).
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 31•16 years ago
|
||
Just entered the additional ticket as https://bugzilla.mozilla.org/show_bug.cgi?id=457107
|
||
Updated•13 years ago
|
Crash Signature: [@ nanojit::LIns::isop]
You need to log in
before you can comment on or make changes to this bug.
Description
•