Closed Bug 455646 Opened 16 years ago Closed 16 years ago

TM: Crash at youtube.com on history navigation + NoScript [js_FillPropertyCache]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: fehe, Assigned: brendan)

References

(
URL
)

Details

(Keywords: crash) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Firefox/2.0.0.11

Under very specific conditions, with JIT chrome enabled, Firefox crashes when navigating either forward or backwards (in history) at Youtube.com.  The additional conditions are the presence of NoScript and general.useragent.extra.firefox being set to something like Firefox/2.0.0.11.

Crash Signature: js_FillPropertyCache

http://crash-stats.mozilla.com/report/index/27ba51fd-8444-11dd-92d5-001cc45a2c28
http://crash-stats.mozilla.com/report/index/c51bba63-8444-11dd-b741-0013211cbf8a
http://crash-stats.mozilla.com/report/index/24601d91-8459-11dd-b006-0013211cbf8a
http://crash-stats.mozilla.com/report/index/6984521c-8454-11dd-99d0-001321b13766


Reproducible: Always

Steps to Reproduce:
1. Create a new profile
2. Install NoScript
3. Change the value of general.useragent.extra.firefox to Firefox/2.0.0.11
4. Enable javascript.options.jit.chrome (set it to true)
5. Restart Firefox
6. Go to http://www.youtube.com and click a video
7. Right-click the NoScript icon (in the status bar) and select "Temporarily allow all this page"
8. Allow the video to play for about 10 seconds and, while the video is still playing, left-click one of the related videos on the right (so it loads in the same tab).
9. Allow that second video to play for about 10 seconds then click the Back toolbar button
10. The result should be a crash.  If you do not immediately crash, try clicking the Forward toolbar button.
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
Blocks: 453668
Keywords: crash
May be WFM, will try to reproduce. Reporter, if you could try the latest tracemonkey tinderbox build, or tonights mozilla-central (Firefox 3.1 pre) build and see whether it reproduces, that would be a big help. Thanks,

/be
Assignee: nobody → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.1?
I can still reproduce easily with both tracemonkey tinderbox and mozilla-central (Firefox 3.1 pre)builds, though the crash signature is now: [@ nanojit::LirBufWriter::insImm(int) ] (I now opened Bug 456981)

TraceMonkey: http://crash-stats.mozilla.com/report/index/c1849051-8b08-11dd-95ea-001a4bd43ef6?p=1

Mozilla-Central: http://crash-stats.mozilla.com/report/index/1e3af180-8b07-11dd-bb34-001cc4e2bf68?p=1

TraceMonkey build:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925034925 Firefox/2.0.0.11

Mozilla-Central build:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Firefox/2.0.0.11
I should clarify that I can no longer reproduce this bug, specifically, but the steps for this crash still produce a crash, which I have now reported as Bug 456981
Ok, WFM this bug, and bumped priority on the other one. Testing 456981 now.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Flags: blocking1.9.1? → blocking1.9.1+
You need to log in before you can comment on or make changes to this bug.