Closed
Bug 459389
Opened 16 years ago
Closed 16 years ago
TM: Crash @dtoa with JIT.content enabled
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b2
People
(Reporter: anttit, Unassigned)
References
()
Details
(Keywords: crash)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081009 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081009 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 Immediate crash going to that site. Reproducible: Always Steps to Reproduce: 1.Click that link 2.Crash 3. Actual Results: Immediate crash. Expected Results: Site loads Crash happens with safe mode and even with a new profile. No crash if jit.content is disabled. Cash:http://crash-stats.mozilla.com/report/index/e2994678-96ca-11dd-91b8-001a4bd43ef6 Siganture: @dtoa All crashes I got have the same signature.
Comment 1•16 years ago
|
||
Confirming: http://crash-stats.mozilla.com/report/index/1c4bc885-96bf-11dd-b195-001a4bd43ed6?p=1 Different sig, but same site. Vista HP SP1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081010 Minefield/3.1b2pre Firefox/3.0 ID:20081010033844
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: Crash @dtoa with JIT.content enabled → TM: Crash @dtoa with JIT.content enabled
Target Milestone: --- → mozilla1.9.1b2
Version: unspecified → Trunk
Comment 2•16 years ago
|
||
I hit a different assertion: #0 NanoAssertFail () at /Users/crowder/mozilla/js/src/nanojit/avmplus.cpp:56 #1 0x002ec651 in nanojit::Assembler::asm_cmp (this=0x837600, cond=0x177de360) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:554 #2 0x002fd8c5 in nanojit::Assembler::gen (this=0x837600, reader=0xbfffb9cc, loopJumps=@0xbfffba38) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:1298 #3 0x00300fdf in nanojit::Assembler::assemble (this=0x837600, frag=0x1a850920, loopJumps=@0xbfffba38) at /Users/crowder/mozilla/js/src/nanojit/Assembler.cpp:759 #4 0x0030ee2d in nanojit::compile (assm=0x837600, triggerFrag=0x1a850920) at /Users/crowder/mozilla/js/src/nanojit/LIR.cpp:1886 #5 0x002d154f in TraceRecorder::compile (this=0x1a885600, fragmento=0x73f130) at /Users/crowder/mozilla/js/src/jstracer.cpp:1822 #6 0x002d1993 in TraceRecorder::endLoop (this=0x1a885600, fragmento=0x73f130) at /Users/crowder/mozilla/js/src/jstracer.cpp:1871 #7 0x002d2ee3 in js_MonitorRecording (tr=0x1a885600) at /Users/crowder/mozilla/js/src/jstracer.cpp:2781 #8 0x00230e15 in js_Interpret (cx=0xbbd000) at jsopcode.tbl:105 #9 0x00246ee1 in js_Execute (cx=0xbbd000, chain=0x17a08980, script=0x1a894f00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1550 #10 0x001c434c in JS_EvaluateUCScriptForPrincipals (cx=0xbbd000, obj=0x17a08980, principals=0x19b06aa4, chars=0xbfffd488, length=17, filename=0x19b02438 "http://www.foodnetwork.com/", lineno=77, rval=0x0) at /Users/crowder/mozilla/js/src/jsapi.cpp:5081 I'll try to get a reduced testcase.
Comment 3•16 years ago
|
||
Ok, quickly got out of my depth here in trace/nanojit stuff, but we seem to be dying inside the "LeaderboardAd()" routine, inside the first call on the page (the "LeaderboardAd(1)"). Can't be sure where, though, sorry.
No crash at www.foodnetwork.com with the 20081013 build how about you guys?
Comment 5•16 years ago
|
||
I was able to get it with a pretty recent source-pull from mozilla-central, but I didn't try a tracemonkey build.
Comment 6•16 years ago
|
||
We merged into mc a few minutes ago. Give it a try with tonight's nightly.
Comment 7•16 years ago
|
||
Crash with today's nightly 10132008 http://crash-stats.mozilla.com/report/index/5ce0b057-9991-11dd-96fb-001a4bd43ed6 No crash with hourly build following the TM mergers into m-c Using build id: http://hg.mozilla.org/mozilla-central/rev/7de3a1cdeb25 No crash Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre Firefox/3.0 ID:20081013172637
Reporter | ||
Comment 8•16 years ago
|
||
No crash for me with today's nightly. Hopefully it is those fixes, not the site, which may be a moving target, as those ad's change... Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081014 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 ID:20081014032121 Have to check with yesterday's nightly and see..
Reporter | ||
Comment 9•16 years ago
|
||
Yesterday's crashed with: http://crash-stats.mozilla.com/report/index/73a0958f-99ef-11dd-b24b-001a4bd43ed6 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre (.NET CLR 3.5.30729) Firefox/3.0.3 ID:20081013033718
Comment 10•16 years ago
|
||
marking this FIXED - Merge from comment #6 fixed the crashing, and testing from comment #7 thru comment #9 confirming no more crashes.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 11•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_8/regress/regress-459389.js,v <-- regress-459389.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/6e5c848a2183
Flags: in-testsuite+
Flags: in-litmus-
Comment 12•16 years ago
|
||
v 1.9.1. this was only ever reproducible on windows.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•