Closed
Bug 465580
Opened 16 years ago
Closed 16 years ago
TM: Crash when selecting "options" in new Yahoo Mail
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1
People
(Reporter: foxtrotmike0-mozbugzilla, Assigned: dvander)
References
()
Details
(Keywords: crash, relnote, verified1.9.1)
Attachments
(2 files)
|
193 bytes,
application/x-javascript
|
Details | |
|
1.32 KB,
patch
|
gal
:
review+
beltzner
:
approval1.9.1b2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1b2pre) Gecko/20081118 Minefield/3.1b2pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1b2pre) Gecko/20081118 Minefield/3.1b2pre Firefox crashes immediately when selecting "options" from within the new Yahoo Mail interface. Reproducible: Always Steps to Reproduce: 1. Log into Yahoo Mail. 2. Select "options." Actual Results: Firefox crashes immediately. Expected Results: Firefox should load the "options" sub-menu without crashing.
Summary: Crash when selection "options" in new Yahoo Mail → Crash when selecting "options" in new Yahoo Mail
|
||
Updated•16 years ago
|
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Summary: Crash when selecting "options" in new Yahoo Mail → TM: Crash when selecting "options" in new Yahoo Mail
Target Milestone: --- → mozilla1.9.1b2
|
|
||
Comment 1•16 years ago
|
||
Reported in the daily thread on the Mozillzine forums: http://forums.mozillazine.org/viewtopic.php?p=5019385#p5019385 and following: User set JIT.content to false and now Yahoo is reported to be working per the poster in the forums.
|
|
||
Updated•16 years ago
|
Severity: normal → major
Flags: blocking1.9.1?
Version: unspecified → Trunk
|
||
Comment 2•16 years ago
|
||
Not sure if its the same crash but Firefox crashes like hell when I type "crash" in the Keywords field.. :)
|
|
||
Comment 3•16 years ago
|
||
(In reply to comment #2) > Not sure if its the same crash but Firefox crashes like hell when I type > "crash" in the Keywords field.. :) Forgot to say: with Adblock Plus enabled.
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
||
Comment 4•16 years ago
|
||
Ria & Faxmaster, are you getting crash-reporter up ? post links to the crashes if so.
Keywords: crash
|
||
Comment 5•16 years ago
|
||
i build currently a new debug build to see whats crashing here.
Regression between 20081114 and 20081115 builds. Additional crash report using 20081115: http://crash-stats.mozilla.com/report/index/347ddb93-f202-499b-aa14-8db120081118?p=1
|
|
||
Comment 9•16 years ago
|
||
(In reply to comment #5) > i build currently a new debug build to see whats crashing here. This is works for me with a latest Debug Build - BuildID=20081118223418 Any chance this is fixed in a latest hourly after the tracemonkey merge ?
|
||
Comment 10•16 years ago
|
||
This could be a recently fixed bug dup. In case anyone gets this in a debugger: go up to js_MonitorLoopEdge and look at: cx->fp->script->filename cx->fp->script->lineno js_FramePCToLineNumber(cx, cx->fp) Try to wget that filename and extract the function whose body starts on that lineno. Thanks, /be
|
Reporter | |
Comment 11•16 years ago
|
||
Using latest hourly (build 20081118224742) still getting crashes. Two more reports: http://crash-stats.mozilla.com/report/index/7f1fcbb8-1f5c-434b-b472-252320081119?p=1 http://crash-stats.mozilla.com/report/index/c3919245-947e-420b-88bf-a69920081119
Target Milestone: mozilla1.9.1b2 → ---
|
|
||
Comment 12•16 years ago
|
||
(In reply to comment #4) > Ria & Faxmaster, are you getting crash-reporter up ? post links to the crashes > if so. The problem is still reproducible with yesterday's build but not with the latest hourly, so the Adblock Plus crash was possibly not related to this bug and fixed by a recent checkin :).
|
||
Comment 13•16 years ago
|
||
Faxmaster seems to disagree so lets leave this open for a bit.
|
|
Reporter | |
Comment 14•16 years ago
|
||
Upon further testing, I've found the following: 1. If Adblock is enabled, the crash occurs. 2. If Adblock is enabled and javascript.options.jit.content is set to false, there is no crash. 3. If Adblock is disabled and javascript.options.jit.content is set to true, there is no crash. This behavior has been tested on today's nightly (20081119).
|
Assignee | |
Comment 15•16 years ago
|
||
Reproduced, debugging.
|
|
Assignee | |
Updated•16 years ago
|
Assignee: general → danderson
|
|
Assignee | |
Comment 16•16 years ago
|
||
We're not guarding somewhere, simple test case to reproduce this crash attached. callee for toString is NULL the second time around and that's not guarded.
|
||
Comment 17•16 years ago
|
||
STR crashes on mac nightly as well. Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081119 Minefield/3.1b2pre My Stack: http://crash-stats.mozilla.com/report/index/36519057-6902-4542-877c-ed7020081119
OS: Windows XP → All
Hardware: PC → All
|
|
||
Comment 18•16 years ago
|
||
(In reply to comment #16) > Created an attachment (id=349062) [details] > test case > > We're not guarding somewhere, simple test case to reproduce this crash > attached. callee for toString is NULL the second time around and that's not > guarded. As noted in another bug (can't find the ref atm), trace-type-classifying null as object means we have to add extra not-null guards. Bleah. Investigate giving null its own typecode (5 since 3 is taken by JSVAL_BOXED). /be
|
|
Assignee | |
Comment 19•16 years ago
|
||
Guard that callee != NULL.
Attachment #349066 -
Flags: review?(gal)
|
|
||
Comment 20•16 years ago
|
||
Comment on attachment 349066 [details] [diff] [review] proposed fix + test case I suggest aborting trace if this == null during recording right before the if you inserted. Otherwise r=me.
Attachment #349066 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 21•16 years ago
|
||
Pushed fix as changeset http://hg.mozilla.org/tracemonkey/rev/d5e92772e8a1
Status: NEW → ASSIGNED
|
|
||
Comment 22•16 years ago
|
||
can we try and get this landed for beta 2 on m-c?
Target Milestone: --- → mozilla1.9.1b2
|
|
Assignee | |
Updated•16 years ago
|
Attachment #349066 -
Flags: approval1.9.1b2?
|
|
||
Comment 23•16 years ago
|
||
David, Andreas: is there a bug on file about typing null and object differently? /be
|
||
Comment 24•16 years ago
|
||
(In reply to comment #22) > can we try and get this landed for beta 2 on m-c? No. Please don't do this. Adding beta 2 blockers will delay builds, which delays your QA start, which delays ship. If you think something should be a beta 2 blocker, ask a driver. I'll approve this for b2 if there are cycles in the tree, but I don't think this blocks.
Keywords: relnote
Target Milestone: mozilla1.9.1b2 → mozilla1.9.1
|
|
||
Comment 25•16 years ago
|
||
Comment on attachment 349066 [details] [diff] [review] proposed fix + test case a191b2=beltzner, if you want this to make b2, please hurry to find a landing spot.
Attachment #349066 -
Flags: approval1.9.1b2? → approval1.9.1b2+
|
||
Comment 26•16 years ago
|
||
Patch landed in m-c.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 27•16 years ago
|
||
testNullCallee already in js1_8_1/trace/trace-test.js
Flags: in-testsuite+
Flags: in-litmus-
|
|
||
Updated•16 years ago
|
Keywords: fixed1.9.1
|
|
||
Comment 28•15 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•