TM: Crash @dtoa with JIT.content enabled

VERIFIED FIXED in mozilla1.9.1b2

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
10 years ago
7 years ago

People

(Reporter: Antti Tervasmäki, Unassigned)

Tracking

({crash})

Trunk
mozilla1.9.1b2
x86
Windows Vista
crash
Points:
---
Bug Flags:
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081009 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081009 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3

Immediate crash going to that site.

Reproducible: Always

Steps to Reproduce:
1.Click that link
2.Crash
3.
Actual Results:  
Immediate crash.

Expected Results:  
Site loads

Crash happens with safe mode and even with a new profile.
No crash if jit.content is disabled.

Cash:http://crash-stats.mozilla.com/report/index/e2994678-96ca-11dd-91b8-001a4bd43ef6
Siganture: @dtoa

All crashes I got have the same signature.
Confirming: 
http://crash-stats.mozilla.com/report/index/1c4bc885-96bf-11dd-b195-001a4bd43ed6?p=1 

Different sig, but same site.

Vista HP SP1 
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081010 Minefield/3.1b2pre Firefox/3.0 ID:20081010033844
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: Crash @dtoa with JIT.content enabled → TM: Crash @dtoa with JIT.content enabled
Target Milestone: --- → mozilla1.9.1b2
Version: unspecified → Trunk

Updated

10 years ago
Severity: major → critical
Keywords: crash

Comment 2

10 years ago
I hit a different assertion:

#0  NanoAssertFail () at /Users/crowder/mozilla/js/src/nanojit/avmplus.cpp:56
#1  0x002ec651 in nanojit::Assembler::asm_cmp (this=0x837600, cond=0x177de360) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:554
#2  0x002fd8c5 in nanojit::Assembler::gen (this=0x837600, reader=0xbfffb9cc, loopJumps=@0xbfffba38) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:1298
#3  0x00300fdf in nanojit::Assembler::assemble (this=0x837600, frag=0x1a850920, loopJumps=@0xbfffba38) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:759
#4  0x0030ee2d in nanojit::compile (assm=0x837600, triggerFrag=0x1a850920) at /Users/crowder/mozilla/js/src/nanojit/LIR.cpp:1886
#5  0x002d154f in TraceRecorder::compile (this=0x1a885600, fragmento=0x73f130) at /Users/crowder/mozilla/js/src/jstracer.cpp:1822
#6  0x002d1993 in TraceRecorder::endLoop (this=0x1a885600, fragmento=0x73f130) at /Users/crowder/mozilla/js/src/jstracer.cpp:1871
#7  0x002d2ee3 in js_MonitorRecording (tr=0x1a885600) at /Users/crowder/mozilla/js/src/jstracer.cpp:2781
#8  0x00230e15 in js_Interpret (cx=0xbbd000) at jsopcode.tbl:105
#9  0x00246ee1 in js_Execute (cx=0xbbd000, chain=0x17a08980, script=0x1a894f00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1550
#10 0x001c434c in JS_EvaluateUCScriptForPrincipals (cx=0xbbd000, obj=0x17a08980, principals=0x19b06aa4, chars=0xbfffd488, length=17, filename=0x19b02438 "http://www.foodnetwork.com/", lineno=77, rval=0x0) at /Users/crowder/mozilla/js/src/jsapi.cpp:5081


I'll try to get a reduced testcase.

Comment 3

10 years ago
Ok, quickly got out of my depth here in trace/nanojit stuff, but we seem to be dying inside the "LeaderboardAd()" routine, inside the first call on the page (the "LeaderboardAd(1)").  Can't be sure where, though, sorry.

Comment 4

10 years ago
No crash at www.foodnetwork.com with the 20081013 build how about you guys?

Comment 5

10 years ago
I was able to get it with a pretty recent source-pull from mozilla-central, but I didn't try a tracemonkey build.

Comment 6

10 years ago
We merged into mc a few minutes ago. Give it a try with tonight's nightly.
Crash with today's nightly 10132008
http://crash-stats.mozilla.com/report/index/5ce0b057-9991-11dd-96fb-001a4bd43ed6

No crash with hourly build following the TM mergers into m-c 
Using build id: http://hg.mozilla.org/mozilla-central/rev/7de3a1cdeb25 No crash

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre Firefox/3.0 ID:20081013172637
(Reporter)

Comment 8

10 years ago
No crash for me with today's nightly. Hopefully it is those fixes, not the site, which may be a moving target, as those ad's change...

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081014 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 ID:20081014032121

Have to check with yesterday's nightly and see..
(Reporter)

Comment 9

10 years ago
Yesterday's crashed with: http://crash-stats.mozilla.com/report/index/73a0958f-99ef-11dd-b24b-001a4bd43ed6

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 ID:20081013033718
marking this FIXED - Merge from comment #6 fixed the crashing, and testing from comment #7 thru comment #9 confirming no more crashes.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 11

10 years ago
/cvsroot/mozilla/js/tests/js1_8/regress/regress-459389.js,v  <--  regress-459389.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/6e5c848a2183
Flags: in-testsuite+
Flags: in-litmus-

Comment 12

10 years ago
v 1.9.1. this was only ever reproducible on windows.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.