Closed Bug 455450 Opened 17 years ago Closed 17 years ago

site doesn't display then crashes

Categories

(Core :: Memory Allocator, defect)

Product:
Core
Component:
Memory Allocator
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: info, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

page that crashes TraceMonkey
18.74 KB, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080915032512 Minefield/3.1b1pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080915032512 Minefield/3.1b1pre ID:20080915032512 With javascript.options.jit.content enabled, site doesn't display properly. Clicking the tabs lead to a crash. Disabled, site works. Reproducible: Always Steps to Reproduce: 0. Have the Flash plug-in installed. 1. In about:config, set javascript.options.jit.content to false 2. visit http://www.toyota.com/prius-hybrid/exterior-360.html 3. In about:config, set javascript.options.jit.content to true 4. Reload. 5. Click the Exterior and Interior tabs Actual Results: At step 4, you don't see the Flash movie. At step 4 or 5 I get a "Warning unresponsive script" alert, "Script: http://www.toyota.com/js/global/global.js:12". If I click [Stop script] in response to the alert, crash! Expected Results: Site should show something and work. Crash Reporter submitted crash reports from two different profiles, one is UserID: ff4593a0-b9d4-4cfd-9e07-e53043d89af3.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: site doesn't display then crashes with TraceMonkey enabled → TM: site doesn't display then crashes with TraceMonkey enabled
Confirmed. Seems to be interaction with flash. Have to diagnose.
Jim, another one like that .cz map site, maybe (at least, a hard case to diagnose). Feel free to share on #jsapi what you learn, we just need more people diagnosing in detail, trying for reduced testcases, etc. Thanks, /be
Assignee: general → jim
Nominating for blocking1.9.1. /be
Flags: blocking1.9.1?
In changeset 358a6b0a757c (Sun Sep 28), I can use the site, but Firefox does crash when I quit. #0 0xb7fa2410 in __kernel_vsyscall () #1 0xb7293cb6 in nanosleep () from /lib/tls/i686/cmov/libc.so.6 #2 0xb7293ac7 in sleep () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7f4b3cf in ah_crap_handler (signum=11) at /home/jimb/mc/tm/toolkit/xre/nsSigHandlers.cpp:149 #4 0xb7f4c696 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:216 #5 <signal handler called> #6 0xb7af55fc in gtk_widget_hide () from /usr/lib/libgtk-x11-2.0.so.0 #7 0xac7a5ebb in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #8 0xac79b418 in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #9 0xac794261 in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #10 0xac798a17 in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #11 0xb052d423 in nsNPAPIPluginInstance::Stop (this=0x9e27c480) at /home/jimb/mc/tm/modules/plugin/base/src/nsNPAPIPluginInstance.cpp:914 #12 0xb3f8c933 in DoStopPlugin (aInstanceOwner=0x9e29d400, aDelayedStop=0) at /home/jimb/mc/tm/layout/generic/nsObjectFrame.cpp:1873 #13 0xb3f8cf52 in nsStopPluginRunnable::Run (this=0xad27ea00) at /home/jimb/mc/tm/layout/generic/nsObjectFrame.cpp:1936 #14 0xb7cf34bb in nsThread::ProcessNextEvent (this=0xb6cbd100, mayWait=1, result=0xbff327e0) at /home/jimb/mc/tm/xpcom/threads/nsThread.cpp:510 #15 0xb7c7f7e1 in NS_ProcessNextEvent_P (thread=0xb6cbd100, mayWait=1) at nsThreadUtils.cpp:227 ---Type <return> to continue, or q <return> to quit--- #16 0xb57c4e36 in nsBaseAppShell::Run (this=0xb6b9e3d0) at /home/jimb/mc/tm/widget/src/xpwidgets/nsBaseAppShell.cpp:170 #17 0xb552fdb1 in nsAppStartup::Run (this=0xb6bb8c10) at /home/jimb/mc/tm/toolkit/components/startup/src/nsAppStartup.cpp:182 #18 0xb7f3b7a0 in XRE_main (argc=3, argv=0xbff32e94, aAppData=0xb6c0e380) at /home/jimb/mc/tm/toolkit/xre/nsAppRunner.cpp:3220 #19 0x08049912 in main (argc=3, argv=0xbff32e94) at /home/jimb/mc/tm/browser/app/nsBrowserApp.cpp:156
Simply visiting the page with content jit enabled, and then quitting crashes.
We have a bug on this website. It doesn't display correctly with jit on. Could anyone debug? I am still working on jquery.
Install flash. Set dom.allow_scripts_to_close_windows. Set javascript.options.jit.content. Visit the attached: firefox file:///.../exterior-360.html Firefox segfaults.
Using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20081006 Minefield/3.1b1pre 20081006034237 - I don't see the unresponsive script alert - I played around with the Exterior and Interior tabs; no crash - I quit and still no crash Did anything change in the code?
Actually, I'm seeing crashes with the recipe in comment #7 whether the jit is enabled or not. Bisection says it's the changeset below. changeset: 15459:621becf19fe6 user: Jason Evans <jasone@canonware.com> date: Fri Jun 20 10:34:42 2008 -0700 summary: Bug 431221: Disable glib slice allocator, r=benjamin diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp --- a/toolkit/xre/nsAppRunner.cpp +++ b/toolkit/xre/nsAppRunner.cpp @@ -2775,6 +2775,12 @@ XRE_main(int argc, char* argv[], const n #endif #if defined(MOZ_WIDGET_GTK2) +#ifdef MOZ_MEMORY + // Disable the slice allocator, since jemalloc already uses similar layout + // algorithms, and using a sub-allocator tends to increase fragmentation. + // This must be done before g_thread_init() is called. + g_slice_set_config(G_SLICE_CONFIG_ALWAYS_MALLOC, 1); +#endif g_thread_init(NULL); // setup for private colormap. Ideally we'd like to do this // in nsAppShell::Create, but we need to get in before gtk
Jason, any thoughts on why that change would cause a segfault? (gdb) where #0 0xb7fe2410 in __kernel_vsyscall () #1 0xb7fc4d30 in raise () from /lib/tls/i686/cmov/libpthread.so.0 #2 0xb74fd5ec in nsProfileLock::FatalSignalHandler () from ./obj-rel/dist/bin/libxul.so #3 <signal handler called> #4 0xb71905fc in gtk_widget_hide () from /usr/lib/libgtk-x11-2.0.so.0 #5 0xadda5ebb in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #6 0xadd9b418 in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #7 0xadd94261 in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #8 0xadd98a17 in ?? () from /home/jimb/.mozilla/plugins/libflashplayer.so #9 0xb7b0e3d3 in ns4xPluginInstance::Stop () from ./obj-rel/dist/bin/libxul.so #10 0xb76b9359 in DoStopPlugin () from ./obj-rel/dist/bin/libxul.so #11 0xb76b976c in nsStopPluginRunnable::Run () from ./obj-rel/dist/bin/libxul.so #12 0xb7c943de in nsThread::ProcessNextEvent () from ./obj-rel/dist/bin/libxul.so #13 0xb7c63d57 in NS_ProcessNextEvent_P () from ./obj-rel/dist/bin/libxul.so #14 0xb7bda8ee in nsBaseAppShell::Run () from ./obj-rel/dist/bin/libxul.so #15 0xb7aaef56 in nsAppStartup::Run () from ./obj-rel/dist/bin/libxul.so #16 0xb74f7041 in XRE_main () from ./obj-rel/dist/bin/libxul.so #17 0x08048b04 in main () (gdb) Will try to get a backtrace with a debug build tomorrow.
Took the TM label off the title. Seems to be not a jit bug.
Summary: TM: site doesn't display then crashes with TraceMonkey enabled → site doesn't display then crashes
May not be jemalloc but it seems a better component than JS engine for now. /be
Assignee: jim → nobody
Component: JavaScript Engine → jemalloc
QA Contact: general → jemalloc
One possible explanation is that by changing the layout of memory (by doing away with the gtk slice suballocator), some form of memory corruption is having a more disastrous effect, due to chance. For what it's worth, I've seen a lot of similar instability problems when the flash plugin is installed, but have never been able to narrow the problem down beyond determining that the flash plugin is somehow involved.
This wFM now. Please re-open/renominate if you can reproduce this again.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: blocking1.9.1?
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: