Closed Bug 475916 Opened 15 years ago Closed 15 years ago

crash when click on upper right hand corner search box of facebook [@ TraceRecorder::set]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: skww726+bugzilla, Assigned: gal)

References

(
URL
)

Details

(Keywords: crash, fixed1.9.1, regression, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(2 files, 1 obsolete file)

crash image
8.22 KB, image/gif
Details
v2
3.97 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko/20090128 Minefield/3.2a1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko/20090128 Minefield/3.2a1pre

After clicking on the search box of http://www.facebook.com at upper right hand corner, firefox will crash.

Crash even with new profile with no plugin, but it will not crash in Safe Mode.

Reproducible: Always

Steps to Reproduce:
1.browse to http://www.facebook.com and logon
2.click on the search box on the upper right hand corner
3.crash without typing anything
Actual Results:  
crashed

Expected Results:  
allow to type the search string

start appear in hourly build 20090128 (I am using 20090128190032)
No crash on XP.  You should post your crash report link.
Attached image crash image 
No crash report being submitted :(
Theme=classic/1.0
StartupTime=1233221823
ServerURL=https://crash-reports.mozilla.com/submit
Add-ons=jqs@sun.com:1.0,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.2a1pre
BuildID=20090128190032
ProductName=Firefox
Vendor=Mozilla
Version=3.2a1pre
InstallTime=1233213508
URL=http://www.facebook.com/home.php?
CrashTime=1233221881
SecondsSinceLastCrash=779


it's the information get from the minidumps folder
Version: unspecified → Trunk
If no one shows up with windows 2000 and able to reproduce, you may have to manually get a stack trace.  See this article for how: https://developer.mozilla.org/En/How_to_get_a_stacktrace_with_WinDbg

Be sure to disable the Java Quick Starter extension first, as it prevents Firefox from loading via the debugger.

When opening the executable in the debugger (per the instructions in the linked article), if you have more than one Firefox profile, you need to use the -p option to specify the profile name on the "Arguments:" line, otherwise Firefox will not load.
Try 20090128 official nightly, and it do not crash.

It may be new bug introduced to the hourly build. I will wait for the next official nightly tomorrow, and try to reproduce the problem again.
I crash with the official nightly too and i'm under windows 7

http://crash-stats.mozilla.com/report/index/a3c90a59-0052-4906-8e38-9dc472090129

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090129 Minefield/3.2a1pre (.NET CLR 3.5.30729)
Keywords: crash, regression
Severity: normal → critical
Summary: crash when click on upper right hand corner search box of facebook → crash when click on upper right hand corner search box of facebook [@ TraceRecorder::set]
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
I could reproduce in XP SP3, too.

http://crash-stats.mozilla.com/report/pending/5ace35f1-5e25-41a0-bd40-308d82090129

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090129 Minefield/3.2a1pre (.NET CLR 3.5.30729) ID:20090129033611
I can reproduce this consistently with 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090129 FireFox/3.0.4 - Build ID: 20090129033611

Crash report id (I think) bp-bad9b05e-9ce9-43c0-aa57-8afbf2090129
Kenn: Wait, you can reproduce it with Firefox 3.0.4?  If so, that's not this bug, since the tracerecorder isn't in 3.0.4.  That crash report is from 3.2a1, though, so it looks like it fits.

Blocking.  Can someone find a regression range?  That would be super-helpful!
Flags: blocking1.9.1+
(In reply to comment #9)
> Kenn: Wait, you can reproduce it with Firefox 3.0.4?

No he can't.  Look at the string inside the parenthesis.
(In reply to comment #9)
> Kenn: Wait, you can reproduce it with Firefox 3.0.4?  If so, that's not this
> bug, since the tracerecorder isn't in 3.0.4.  That crash report is from 3.2a1,
> though, so it looks like it fits.
> 
> Blocking.  Can someone find a regression range?  That would be super-helpful!

No - I'm not using 3.0.4, that is in my build id to spoof my corp's sites that don't accept 3.2a1pre as a valid browser
Priority: -- → P1
pekkle, or anyone: are you using any extensions or do you have any specific
configuration? I cannot reproduce with trunk build 2 hours old from now
[Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko
Minefield/3.2a1pre ID:20090129210354]
Status: UNCONFIRMED → NEW
Ever confirmed: true
I just reproduced it with this hourly build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090129 FireFox/3.0.4 - Build ID: 20090129121519  which, if I read the build id properly,. was created at 12:15:19 today.  It crashed but didn't create a crash report.


Kenn
Just tried in safe mode - no crash with last hourly
I just tried disabling all of my extensions one by one - and it does it with them disabled.  Haven't tried the plug-ins yet.
Kenn: what options you used when starting safe mode? what extensions do you have installed? what firefox theme are you using?

Would you be willing to find the first hourly build that crashes for you? According to comment 5, 20090128 official nightly should yet not crash.
i can reproduce this crash with a fresh profile and no extensions , i haven't tried in safe mode, turning jit.content to false stops the crash.
(In reply to comment #16)
> Kenn: what options you used when starting safe mode? what extensions do you
> have installed? what firefox theme are you using?
> 
> Would you be willing to find the first hourly build that crashes for you?
> According to comment 5, 20090128 official nightly should yet not crash.

just used the safe mode from the windows start menu.
I am using Noia 3.57
(In reply to comment #17)
> i can reproduce this crash with a fresh profile and no extensions , i haven't
> tried in safe mode, turning jit.content to false stops the crash.

I just turned jit content to false and it stopped crashing.
(In reply to comment #19)
> (In reply to comment #17)
> > i can reproduce this crash with a fresh profile and no extensions , i haven't
> > tried in safe mode, turning jit.content to false stops the crash.
> 
> I just turned jit content to false and it stopped crashing.

this hourly crashes with jit content turned on:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090128 FireFox/3.0.4 - Build ID: 20090128174802

Can't find the ones before that....
Assignee: general → gal
Breakpoint 1, TraceRecorder::record_JSOP_NEXTITER (this=0x1c0639a0) at ../../../js/src/jstracer.cpp:7898
7898	MITIVE(iterobj_val))
(gdb) c
Continuing.

Breakpoint 1, TraceRecorder::record_JSOP_NEXTITER (this=0x17e79b10) at ../../../js/src/jstracer.cpp:7898
7898	MITIVE(iterobj_val))
(gdb) c
Continuing.

Breakpoint 1, TraceRecorder::record_JSOP_NEXTITER (this=0x17e79b10) at ../../../js/src/jstracer.cpp:7898
7898	MITIVE(iterobj_val))
(gdb) c
Continuing.

Breakpoint 1, TraceRecorder::record_JSOP_NEXTITER (this=0x17e79b10) at ../../../js/src/jstracer.cpp:7898
7898	MITIVE(iterobj_val))
(gdb) c
Continuing.

Breakpoint 1, TraceRecorder::record_JSOP_NEXTITER (this=0x17e79b10) at ../../../js/src/jstracer.cpp:7898
7898	MITIVE(iterobj_val))
(gdb) c
Continuing.

Breakpoint 1, TraceRecorder::record_JSOP_NEXTITER (this=0x17e924c0) at ../../../js/src/jstracer.cpp:7898
7898	MITIVE(iterobj_val))
(gdb) enable 2
(gdb) c
Continuing.

Breakpoint 2, js_Interpret (cx=0x2208fe00) at ../../../js/src/jsinterp.cpp:2948
2948	                fp->imacpc = NULL;
3: fp.imacpc = (jsbytecode *) 0x222b2443 "L\b??MT"
2: fp = (JSStackFrame *) 0x220fcd88
1: op = JSOP_STOP
(gdb) enable 3
(gdb) c
Continuing.

Breakpoint 3, js_Interpret (cx=0x2208fe00) at ../../../js/src/jsinterp.cpp:3083
3083	                BRANCH(len);
3: fp.imacpc = (jsbytecode *) 0x0
2: fp = (JSStackFrame *) 0x220fcd88
1: op = JSOP_IFNE
(gdb) enable 4
(gdb) c
Continuing.

We finish the above imacro and then hit the IFNE, which makes us look for trees for the target address:

Breakpoint 4, js_RecordLoopEdge (cx=0x2208fe00, r=0x17e924c0, inlineCallCount=@0xbfffc2f8) at ../../../js/src/jstracer.cpp:3563
3563	    if (OBJ_SCOPE(JS_GetGlobalForObject(cx, cx->fp->scopeChain))->title.ownercx != cx) {
(gdb) display cx.fp.imacpc
4: cx.fp.imacpc = (jsbytecode *) 0x0
(gdb) n
3568	    JSTraceMonitor* tm = &JS_TRACE_MONITOR(cx);
4: cx.fp.imacpc = (jsbytecode *) 0x0

We find one and run it.

3638	    VMSideExit* lr = js_ExecuteTree(cx, f, inlineCallCount, &innermostNestedGuard);
4: cx.fp.imacpc = (jsbytecode *) 0x0
(gdb) 
3639	    if (!lr) {
4: cx.fp.imacpc = (jsbytecode *) 0x222b2443 "L\b??MT"
(gdb) p cx.fp.regs.pc
$42 = (jsbytecode *) 0x3f437a "\f?I?"

It side-exits inside an imacro (pc points into imacro, imacpc is set).

(gdb) n
3644	    switch (lr->exitType) {
4: cx.fp.imacpc = (jsbytecode *) 0x222b2443 "L\b??MT"
(gdb) 
3667	        debug_only_v(printf("exit_type=%d\n", lr->exitType);)
4: cx.fp.imacpc = (jsbytecode *) 0x222b2443 "L\b??MT"
(gdb) 
3668	        js_AbortRecording(cx, "Inner tree not suitable for calling");
4: cx.fp.imacpc = (jsbytecode *) 0x222b2443 "L\b??MT"
(gdb) 
3669	        return false;
4: cx.fp.imacpc = (jsbytecode *) 0x222b2443 "L\b??MT"
(gdb) 
3681	tatic bool
4: cx.fp.imacpc = (jsbytecode *) 0x222b2443 "L\b??MT"
(gdb) 
js_MonitorLoopEdge (cx=0x2208fe00, inlineCallCount=@0xbfffc2f8) at ../../../js/src/jstracer.cpp:4124
4124	JS_ASSERT(!tm->recorder);
(gdb) 
4127	if (tm->reservedDoublePoolPtr < (tm->reservedDoublePool + MAX_NATIVE_STACK_SLOTS) &&
(gdb) 
4133	JSObject* globalObj = JS_GetGlobalForObject(cx, cx->fp->scopeChain);
(gdb) 
4134	uint32 globalShape = -1;
(gdb) 
4135	SlotList* globalSlots = NULL;
(gdb) 
4137	if (!js_CheckGlobalObjectShape(cx, tm, globalObj, &globalShape, &globalSlots))
(gdb) p cx.fp.regs.pc
$43 = (jsbytecode *) 0x3f437a "\f?I?"
(gdb) p cx.fp.imacpc
$44 = (jsbytecode *) 0x222b2443 "L\b??MT"
(gdb) n
4140	jsbytecode* pc = cx->fp->regs->pc;
(gdb) 
4142	if (oracle.getHits(pc) >= 0 && 
(gdb) p pc
$45 = (jsbytecode *) 0x3f437a "\f?I?"
(gdb) n
4148	Fragment* f = getLoop(tm, pc, globalShape);
(gdb) p pc
$46 = (jsbytecode *) 0x3f437a "\f?I?"
(gdb) n
4149	if (!f)
(gdb) p f
$47 = (class nanojit::Fragment *) 0x1d5be384

Here is where it gets bizarre. We are inside an imacro still and we seem to have a fragment for the imacro location:

(gdb) p f->ip
$48 = (const void *) 0x3f437a
(gdb) x/10x f->ip
0x3f437a <nextiter_imacros+18>:	0x0c	0xe7	0x49	0xc3	0x00	0x00	0xb8	0x00
0x3f4382 <iter_imacros+2>:	0x3f	0xe3
(gdb) p (JSOp)*(unsigned char*)f->ip
$57 = JSOP_DUP
(gdb) p (JSOp)((unsigned char*)f->ip)[1]
$58 = JSOP_HOLE
(gdb) p (JSOp)((unsigned char*)f->ip)[2]
$59 = JSOP_STRICTNE
(gdb) p (JSOp)((unsigned char*)f->ip)[3]
$60 = JSOP_STOP
(gdb)
OS: Windows 2000 → All
Target Milestone: --- → mozilla1.9.1b3
Attached patch patch (obsolete) — Splinter Review 
When invoking an inner tree there is no guarantee we land on a loop header again when we come out of that inner tree, so don't try to record or trigger traces there.
Attachment #359692 - Flags: review?(brendan)
Isn't there some kind of policy that we get a free facebook shirt if we make facebook.com not crash horribly? If there is not such policy, there should be one =)
Attached patch v2Splinter Review 
Be less pessimistic and allow recording of an inner tree as long we are still parked on the inner tree loop header. Otherwise bolt to the interpreter. This makes our trace-tests happy, which check that we immediate record and don't incur additional interpreter round-trips in between. No perf overhead on SS (might be a slight win).
Attachment #359692 - Attachment is obsolete: true
Attachment #359698 - Flags: review?(brendan)
Attachment #359692 - Flags: review?(brendan)
Comment on attachment 359698 [details] [diff] [review]
v2

stealing r? on request
Attachment #359698 - Flags: review?(brendan) → review+
Pushed to TM. We will try to get this into mozilla central tonight.

http://hg.mozilla.org/tracemonkey/rev/5ce67a3a2bd0
Whiteboard: fixed-in-tracemonkey
Blocks: 468782
I get this crash on both OS X and Windows XP.  The following are crash reports for it:

OS X:
fbe45709-2cec-4ecd-8d2a-620a02090130	1/30/09	5:55 PM
cccc95b2-0fdb-44b4-9f1a-346e42090130	1/30/09	5:54 PM
98e860b6-77e0-4de2-90a4-580002090130	1/30/09	8:42 AM
6e52635f-73d3-4cbe-a298-6d0672090130	1/30/09	12:53 AM
da6470ec-039f-4b52-a7fe-d364c2090130	1/30/09	12:53 AM
241af91b-a043-4e79-9cc8-886912090129	1/29/09	11:19 PM
1ea842a0-8587-43b5-b186-48f1a2090129	1/29/09	8:46 PM

XP:
d568783e-b6f4-4f2e-ae27-da66b2081210    12/10/2008    11:29 AM

Note: this is the same bug I reported in Bug 476124

Michael
Also, I did not get the issue before the 1/29 crash, so it would be the nightly built most recently before that crash.
BTW, when will the patch be applied to mozilla central nightly? Still crashing with the latest build. :(
Yes, we are not merged yet. I will try to find a volunteer for that.
http://hg.mozilla.org/mozilla-central/rev/5ce67a3a2bd0
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Is the 1.9.1 branch going to get this for beta 3?
Flags: in-testsuite-
Crash Signature: [@ TraceRecorder::set]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: