Closed Bug 456981 Opened 17 years ago Closed 17 years ago

TM: Crash at youtube.com on history navigation + NoScript [@ nanojit::LirBufWriter::insImm(int) ]

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla1.9.1b1

People

(Reporter: fehe, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Firefox/2.0.0.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080925033548 Firefox/2.0.0.11 The circumstances for this bug are similar to Bug 455646 Under very specific conditions, with JIT chrome enabled, Firefox crashes when navigating either forward or backwards (in history) at Youtube.com. The additional conditions are the presence of NoScript and general.useragent.extra.firefox being set to something like Firefox/2.0.0.11. Crash Signature: nanojit::LirBufWriter::insImm(int) http://crash-stats.mozilla.com/report/index/1e3af180-8b07-11dd-bb34-001cc4e2bf68 http://crash-stats.mozilla.com/report/index/c1849051-8b08-11dd-95ea-001a4bd43ef6 Reproducible: Always Steps to Reproduce: 1. Create a new profile 2. Install NoScript 3. Change the value of general.useragent.extra.firefox to Firefox/2.0.0.11 4. Enable javascript.options.jit.chrome (set it to true) 5. Restart Firefox 6. Go to http://www.youtube.com and click a video 7. Right-click the NoScript icon (in the status bar) and select "Temporarily allow all this page" 8. Allow the video to play for about 10 seconds or more then left-click one of the related videos on the right (so it loads in the same tab). 9. Either allow that second video to play for a few seconds then click the Back toolbar button or simply click the Back toolbar button. 10. The result should be a crash.
Component: General → JavaScript Engine
Product: Firefox → Core
Version: unspecified → Trunk
0 js3250.dll nanojit::LirBufWriter::insImm js/src/nanojit/LIR.cpp:412 1 js3250.dll nanojit::CseFilter::insImm js/src/nanojit/LIR.cpp:1725 2 js3250.dll nanojit::LirWriter::insLoad js/src/nanojit/LIR.cpp:889 3 js3250.dll TraceRecorder::test_property_cache js/src/jstracer.cpp:3524 4 js3250.dll TraceRecorder::prop js/src/jstracer.cpp:5171 5 js3250.dll TraceRecorder::getProp js/src/jstracer.cpp:5295 6 js3250.dll TraceRecorder::getProp js/src/jstracer.cpp:5310 7 js3250.dll TraceRecorder::record_JSOP_GETARGPROP js/src/jstracer.cpp:6583 8 js3250.dll js3250.dll@0x696b0
Keywords: crash
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b1
LInsp LirBufWriter::insImm(int32_t imm) { if (isS16(imm)) { ensureRoom(1); LInsp l = _buf->next(); l->initOpcode(LIR_short); [crash here] l->setimm16(imm); _buf->commit(1); _buf->_stats.lir++; return l; } else { ensureRoom(2); int32_t* l = (int32_t*)_buf->next(); *l = imm; _buf->commit(1); return ins0(LIR_int); } } David, any comments on this one?
Flags: blocking1.9.1? → blocking1.9.1+
A while ago, I opened a tab and, in the middle of loading hotmail, I got a crash with the following signature: [@ nanojit::LirBufWriter::insFar(nanojit::LOpcode, nanojit::LIns*) ] http://crash-stats.mozilla.com/report/index/ef5e72d1-8b11-11dd-97c6-0013211cbf8a Is that pretty much the same as this bug or should I be opening a new bug?
Yeah thats the same bug with very high probability. Thanks for the report. This will be worked on shortly.
Just discovered that this bug can also be reproduced by moving a tab with active flash content from one window to another. NoScript is still a requirement.
Priority: P1 → P2
> Just discovered that this bug can also be reproduced by moving a tab with > active flash content from one window to another. NoScript is still a > requirement. This is the only crash I'm able to reproduce, but it happens even without the JIT, so I don't think it's related. The original crash might have been fixed already, we haven't synced with mozilla-central yet though. Could you try the latest build from ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/tracemonkey-win32/ ?
@David: you're experiencing this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=458048 As far as the immediate bug goes, it is indeed fixed in the lastest TraceMonkey build. Thanks
We sync'ed tm and m-c, so this should be fixed now. I'll mark WFM optimistically. /be
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nanojit::LirBufWriter::insImm(int) ]
You need to log in before you can comment on or make changes to this bug.