Closed Bug 459389 Opened 13 years ago Closed 13 years ago

TM: Crash @dtoa with JIT.content enabled

Categories

(Core :: JavaScript Engine, defect)

x86
Windows Vista
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9.1b2

People

(Reporter: anttit, Unassigned)

References

()

Details

(Keywords: crash)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081009 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081009 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3

Immediate crash going to that site.

Reproducible: Always

Steps to Reproduce:
1.Click that link
2.Crash
3.
Actual Results:  
Immediate crash.

Expected Results:  
Site loads

Crash happens with safe mode and even with a new profile.
No crash if jit.content is disabled.

Cash:http://crash-stats.mozilla.com/report/index/e2994678-96ca-11dd-91b8-001a4bd43ef6
Siganture: @dtoa

All crashes I got have the same signature.
Confirming: 
http://crash-stats.mozilla.com/report/index/1c4bc885-96bf-11dd-b195-001a4bd43ed6?p=1 

Different sig, but same site.

Vista HP SP1 
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081010 Minefield/3.1b2pre Firefox/3.0 ID:20081010033844
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: Crash @dtoa with JIT.content enabled → TM: Crash @dtoa with JIT.content enabled
Target Milestone: --- → mozilla1.9.1b2
Version: unspecified → Trunk
Severity: major → critical
Keywords: crash
I hit a different assertion:

#0  NanoAssertFail () at /Users/crowder/mozilla/js/src/nanojit/avmplus.cpp:56
#1  0x002ec651 in nanojit::Assembler::asm_cmp (this=0x837600, cond=0x177de360) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:554
#2  0x002fd8c5 in nanojit::Assembler::gen (this=0x837600, reader=0xbfffb9cc, loopJumps=@0xbfffba38) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:1298
#3  0x00300fdf in nanojit::Assembler::assemble (this=0x837600, frag=0x1a850920, loopJumps=@0xbfffba38) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:759
#4  0x0030ee2d in nanojit::compile (assm=0x837600, triggerFrag=0x1a850920) at /Users/crowder/mozilla/js/src/nanojit/LIR.cpp:1886
#5  0x002d154f in TraceRecorder::compile (this=0x1a885600, fragmento=0x73f130) at /Users/crowder/mozilla/js/src/jstracer.cpp:1822
#6  0x002d1993 in TraceRecorder::endLoop (this=0x1a885600, fragmento=0x73f130) at /Users/crowder/mozilla/js/src/jstracer.cpp:1871
#7  0x002d2ee3 in js_MonitorRecording (tr=0x1a885600) at /Users/crowder/mozilla/js/src/jstracer.cpp:2781
#8  0x00230e15 in js_Interpret (cx=0xbbd000) at jsopcode.tbl:105
#9  0x00246ee1 in js_Execute (cx=0xbbd000, chain=0x17a08980, script=0x1a894f00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1550
#10 0x001c434c in JS_EvaluateUCScriptForPrincipals (cx=0xbbd000, obj=0x17a08980, principals=0x19b06aa4, chars=0xbfffd488, length=17, filename=0x19b02438 "http://www.foodnetwork.com/", lineno=77, rval=0x0) at /Users/crowder/mozilla/js/src/jsapi.cpp:5081


I'll try to get a reduced testcase.
Ok, quickly got out of my depth here in trace/nanojit stuff, but we seem to be dying inside the "LeaderboardAd()" routine, inside the first call on the page (the "LeaderboardAd(1)").  Can't be sure where, though, sorry.
No crash at www.foodnetwork.com with the 20081013 build how about you guys?
I was able to get it with a pretty recent source-pull from mozilla-central, but I didn't try a tracemonkey build.
We merged into mc a few minutes ago. Give it a try with tonight's nightly.
Crash with today's nightly 10132008
http://crash-stats.mozilla.com/report/index/5ce0b057-9991-11dd-96fb-001a4bd43ed6

No crash with hourly build following the TM mergers into m-c 
Using build id: http://hg.mozilla.org/mozilla-central/rev/7de3a1cdeb25 No crash

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre Firefox/3.0 ID:20081013172637
No crash for me with today's nightly. Hopefully it is those fixes, not the site, which may be a moving target, as those ad's change...

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081014 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 ID:20081014032121

Have to check with yesterday's nightly and see..
Yesterday's crashed with: http://crash-stats.mozilla.com/report/index/73a0958f-99ef-11dd-b24b-001a4bd43ed6

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 ID:20081013033718
marking this FIXED - Merge from comment #6 fixed the crashing, and testing from comment #7 thru comment #9 confirming no more crashes.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/js1_8/regress/regress-459389.js,v  <--  regress-459389.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/6e5c848a2183
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.1. this was only ever reproducible on windows.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.