Closed Bug 461974 Opened 11 years ago Closed 11 years ago

TM: crash at pentestmonkey.net/jsbm/index.html with jit enabled [@ @0x6edc54 - js_Interpret]

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86
All
defect

Tracking

()

VERIFIED FIXED
mozilla1.9.1b2

People

(Reporter: beltzner, Assigned: gal)

References

()

Details

(Keywords: crash, verified1.9.1)

Crash Data

Attachments

(1 file, 2 obsolete files)

On the 20081028 nightly (with tracemonkey on in content by default) the following benchmark site crashes: http://pentestmonkey.net/jsbm/index.html

A couple of crash stacks for you, still processing as of this writing:
http://crash-stats.mozilla.com/report/index/51fff740-8026-11dd-aeb9-001cc4e2bf68
http://crash-stats.mozilla.com/report/index/45ed48a3-8026-11dd-b3e5-001cc45a2ce4
Flags: blocking1.9.1?
Summary: Tracemonkey crashes at pentestmonkey.net/jsbm/index.html → TM: crash at pentestmonkey.net/jsbm/index.html with jit enabled
Signature	@0x6edc54
UUID	5e6d22a1-a4fc-11dd-87c4-001cc4e2bf68
Time	2008-10-28 07:25:38-07
Uptime	4
Product	Firefox
Version	3.1b2pre
Build ID	20081028020258
OS	Mac OS X
OS Version	10.5.5 9F33
CPU	x86
CPU Info	GenuineIntel family 6 model 7 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x6edc54
Comments	
Crashing Thread
Frame 	Module 	Signature 	Source
0 		@0x6edc54 	
1 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:2439
2 	libmozjs.dylib 	js_MonitorLoopEdge 	js/src/jstracer.cpp:2916
3 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3077
4 	libmozjs.dylib 	js_Invoke 	js/src/jsinvoke.cpp:1324
5 	libmozjs.dylib 	js_fun_apply 	js/src/jsfun.cpp:1732
6 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:4998
7 	libmozjs.dylib 	js_Invoke 	js/src/jsinvoke.cpp:1324
8 	libmozjs.dylib 	js_InternalInvoke 	js/src/jsinvoke.cpp:1381
9 	libmozjs.dylib 	JS_CallFunctionValue 	js/src/jsapi.cpp:5235
Severity: normal → critical
Keywords: crash
Summary: TM: crash at pentestmonkey.net/jsbm/index.html with jit enabled → TM: crash at pentestmonkey.net/jsbm/index.html with jit enabled [@ @0x6edc54 - js_Interpret]
This stack is pretty common for the crashes we're getting with this nightly build.
Assignee: general → gal
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b2
Crash in jit code. Stack dump is not useful but we can reproduce it.
Duplicate of this bug: 462020
related bug 462095 filed for md4 performance
Attached patch cleanedup patch (obsolete) — Splinter Review
Attachment #345218 - Attachment is obsolete: true
Attachment #345230 - Flags: review?(danderson)
Attached patch polishSplinter Review
Attachment #345230 - Attachment is obsolete: true
Attachment #345231 - Flags: review?(danderson)
Attachment #345230 - Flags: review?(danderson)
Attachment #345231 - Flags: review?(danderson) → review+
http://hg.mozilla.org/tracemonkey/rev/4441f30c5c54
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
FWIW, I still see the crash in today's nightly, using STR from bug 462020 (attempt to login at http://www.spoofee.com/forums/ )

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081029 Minefield/3.1b2pre

Maybe the fix was too late to make today's nightly?  (The fix landed at 10:40pm, and I thought the cutoff was later than that, but maybe I'm mistaken.)
Yeah, it was a bit too late to push changes over to central. If you could try the tracemonkey nightly or a tracemonkey tinderbox build that would be great.
Duplicate of this bug: 462122
Duplicate of this bug: 462219
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
Flags: in-testsuite-
Flags: in-litmus-
verified FIXED on builds: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090416 Minefield/3.6a1pre ID:20090416030845

and

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090417 Shiretoko/3.5b4pre ID:20090417030722
Status: RESOLVED → VERIFIED
Crash Signature: [@ @0x6edc54 - js_Interpret]
You need to log in before you can comment on or make changes to this bug.