TM: Crash at youtube.com on history navigation + NoScript [@ nanojit::LirBufWriter::insImm(int) ]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
P2
critical
RESOLVED WORKSFORME
10 years ago
7 years ago

People

(Reporter: IU, Unassigned)

Tracking

({crash})

Trunk
mozilla1.9.1b1
x86
Windows XP
crash
Points:
---
Bug Flags:
blocking1.9.1 +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Firefox/2.0.0.11

The circumstances for this bug are similar to  Bug 455646

Under very specific conditions, with JIT chrome enabled, Firefox crashes when
navigating either forward or backwards (in history) at Youtube.com.  The
additional conditions are the presence of NoScript and
general.useragent.extra.firefox being set to something like Firefox/2.0.0.11.

Crash Signature: nanojit::LirBufWriter::insImm(int)

http://crash-stats.mozilla.com/report/index/1e3af180-8b07-11dd-bb34-001cc4e2bf68
http://crash-stats.mozilla.com/report/index/c1849051-8b08-11dd-95ea-001a4bd43ef6

Reproducible: Always

Steps to Reproduce:
1. Create a new profile
2. Install NoScript
3. Change the value of general.useragent.extra.firefox to Firefox/2.0.0.11
4. Enable javascript.options.jit.chrome (set it to true)
5. Restart Firefox
6. Go to http://www.youtube.com and click a video
7. Right-click the NoScript icon (in the status bar) and select "Temporarily
allow all this page"
8. Allow the video to play for about 10 seconds or more then left-click one of the related videos on the right (so it loads in the
same tab).
9. Either allow that second video to play for a few seconds then click the Back
toolbar button or simply click the Back toolbar button.
10. The result should be a crash.
(Reporter)

Updated

10 years ago
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
0  	js3250.dll  	nanojit::LirBufWriter::insImm  	 js/src/nanojit/LIR.cpp:412
1 	js3250.dll 	nanojit::CseFilter::insImm 	js/src/nanojit/LIR.cpp:1725
2 	js3250.dll 	nanojit::LirWriter::insLoad 	js/src/nanojit/LIR.cpp:889
3 	js3250.dll 	TraceRecorder::test_property_cache 	js/src/jstracer.cpp:3524
4 	js3250.dll 	TraceRecorder::prop 	js/src/jstracer.cpp:5171
5 	js3250.dll 	TraceRecorder::getProp 	js/src/jstracer.cpp:5295
6 	js3250.dll 	TraceRecorder::getProp 	js/src/jstracer.cpp:5310
7 	js3250.dll 	TraceRecorder::record_JSOP_GETARGPROP 	js/src/jstracer.cpp:6583
8 	js3250.dll 	js3250.dll@0x696b0
Keywords: crash

Updated

10 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b1

Comment 2

10 years ago
	LInsp LirBufWriter::insImm(int32_t imm)
	{
		if (isS16(imm)) {
			ensureRoom(1);
			LInsp l = _buf->next();
			l->initOpcode(LIR_short);   [crash here]
			l->setimm16(imm);
			_buf->commit(1);
			_buf->_stats.lir++;
			return l;
		} else {
			ensureRoom(2);
			int32_t* l = (int32_t*)_buf->next();
			*l = imm;
			_buf->commit(1);
			return ins0(LIR_int);
		}
	}

David, any comments on this one?

Updated

10 years ago
Flags: blocking1.9.1? → blocking1.9.1+
(Reporter)

Comment 3

10 years ago
A while ago, I opened a tab and, in the middle of loading hotmail, I got a crash with the following signature: [@ nanojit::LirBufWriter::insFar(nanojit::LOpcode, nanojit::LIns*) ]

http://crash-stats.mozilla.com/report/index/ef5e72d1-8b11-11dd-97c6-0013211cbf8a

Is that pretty much the same as this bug or should I be opening a new bug?

Comment 4

10 years ago
Yeah thats the same bug with very high probability. Thanks for the report. This will be worked on shortly.
(Reporter)

Comment 5

10 years ago
Just discovered that this bug can also be reproduced by moving a tab with active flash content from one window to another.  NoScript is still a requirement.

Updated

9 years ago
Priority: P1 → P2
> Just discovered that this bug can also be reproduced by moving a tab with
> active flash content from one window to another.  NoScript is still a
> requirement.

This is the only crash I'm able to reproduce, but it happens even without the JIT, so I don't think it's related.  

The original crash might have been fixed already, we haven't synced with mozilla-central yet though.  Could you try the latest build from ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/tracemonkey-win32/
 ?
(Reporter)

Comment 7

9 years ago
@David: you're experiencing this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=458048

As far as the immediate bug goes, it is indeed fixed in the lastest TraceMonkey build.  Thanks
We sync'ed tm and m-c, so this should be fixed now. I'll mark WFM optimistically.

/be
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

7 years ago
Crash Signature: [@ nanojit::LirBufWriter::insImm(int) ]
You need to log in before you can comment on or make changes to this bug.