Closed Bug 481302 Opened 16 years ago Closed 16 years ago

TM: Crash on webpage with jit.chrome=true [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: alice0775, Unassigned)

References

(
URL
)

Details

(Keywords: crash, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

assertion
2.33 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090303 Firefox/3.1b3pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090303 Minefield/3.2a1pre Crash When rloading of the page is completed. Reproducible: Always Steps to Reproduce: 1.Start Minefield with New Profile. 2.set javascript.options.jit.chrome to true in about:config. 3.Go URL Actual Results: Crash Minefield with the crash report. http://crash-stats.mozilla.com/report/index/8877ef0e-1f16-486f-95e8-8177b2090303?p=1 Expected Results: No crash. If javascript.options.jit.chrome not set to true, Minefield did not crash.
Confirmed with latest 3.1b3pre on Linux. bp-261825df-60ca-4a9c-a674-c40b02090303 Odd that it's the chrome JIT that is needed, and not the content JIT.
OS: Windows XP → All
Hardware: x86 → All
Summary: Crash [@ XPCWrappedNative::HasProto() ] → Crash with jit.chrome=true [@ XPCWrappedNative::HasProto() ]
Status: UNCONFIRMED → NEW
Ever confirmed: true
I get the same stack as you on Windows XP, but get completely different stacks for Shiretoko and Minefield on Linux. 3.1b3pre and 3.2a1pre on Windows: bp-8877ef0e-1f16-486f-95e8-8177b2090303 0 xul.dll XPCWrappedNative::HasProto js/src/xpconnect/src/xpcprivate.h:2181 1 xul.dll XPCWrappedNative::GetProto js/src/xpconnect/src/xpcprivate.h:2187 2 xul.dll nsXPConnect::Traverse js/src/xpconnect/src/nsXPConnect.cpp:749 3 xul.dll xul.dll@0xa0299f 3.1b3pre on Linux: bp-261825df-60ca-4a9c-a674-c40b02090303 0 libmozjs.so JS_CallTracer js/src/jsgc.cpp:1086 1 libmozjs.so js_TraceObject js/src/jsobj.cpp:5489 2 libmozjs.so JS_TraceChildren js/src/jsgc.cpp:2428 3 libmozjs.so JS_CallTracer js/src/jsgc.cpp:2704 4 libxul.so TraceScopeJSObjects js/src/xpconnect/src/xpcwrappednativejsops.cpp:653 5 libmozjs.so js_TraceObject js/src/jsobj.cpp:5467 6 libmozjs.so JS_TraceChildren js/src/jsgc.cpp:2428 7 libmozjs.so JS_CallTracer js/src/jsgc.cpp:2704 8 libxul.so XPCWrappedNativeProto::TraceJS js/src/xpconnect/src/nsXPConnect.cpp:1985 9 libxul.so XPCWrappedNative::TraceJS js/src/xpconnect/src/xpcprivate.h:2339 10 libxul.so xpc_TraceForValidWrapper js/src/xpconnect/src/xpcwrappednativejsops.cpp:694 11 libxul.so XPC_WN_Shared_Trace js/src/xpconnect/src/xpcwrappednativejsops.cpp:706 12 libmozjs.so js_TraceObject js/src/jsobj.cpp:5467 13 libmozjs.so JS_TraceChildren js/src/jsgc.cpp:2428 14 libmozjs.so JS_CallTracer js/src/jsgc.cpp:2704 15 libmozjs.so js_TraceContext js/src/jsgc.cpp:3028 16 libmozjs.so js_TraceRuntime js/src/jsgc.cpp:3113 17 libmozjs.so js_GC js/src/jsgc.cpp:3521 18 libmozjs.so JS_GC js/src/jsapi.cpp:2499 19 libxul.so nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:478 20 libxul.so nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:2256 21 libxul.so nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:2904 ... ... 3.2a1pre on Linux: bp-6854e97b-d717-426a-8ab6-d19ad2090303 0 libxul.so WrapperIsNotMainThreadOnly js/src/xpconnect/src/xpcprivate.h:2187 1 libxul.so nsXPConnect::Traverse js/src/xpconnect/src/nsXPConnect.cpp:749 2 libxul.so GCGraphBuilder::Traverse xpcom/base/nsCycleCollector.cpp:1319 3 libxul.so nsCycleCollector::MarkRoots xpcom/base/nsCycleCollector.cpp:1519 4 libxul.so nsCycleCollector::BeginCollection xpcom/base/nsCycleCollector.cpp:2374 5 libxul.so nsCycleCollector_beginCollection xpcom/base/nsCycleCollector.cpp:2916 6 libxul.so XPCCycleCollectGCCallback js/src/xpconnect/src/nsXPConnect.cpp:391 7 libmozjs.so js_GC js/src/jsgc.cpp:3532 8 libmozjs.so JS_GC js/src/jsapi.cpp:2498 9 libxul.so nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:478 10 libxul.so nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:2256 11 libxul.so nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:2904 ... ...
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: Crash with jit.chrome=true [@ XPCWrappedNative::HasProto() ] → TM: Crash on webpage with jit.chrome=true [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Version: unspecified → 1.9.1 Branch
Version: 1.9.1 Branch → Trunk
Regression range: No Crash: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090216 Minefield/3.2a1pre Crash: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090217 Minefield/3.2a1pre Changesets between the above regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-02-16+04%3A29%3A18&enddate=2009-02-17+03%3A32%3A29
I can confirm the crash using the steps in comment 0. with jit.chrome enabled, the URL will crash after trying to fully load. with jit.chrome disabled, the site loads without crashing. http://crash-stats.mozilla.com/report/index/32d3847b-da41-40d7-ad81-544ea2090305?p=1
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Priority: -- → P2
bsmedberg suggested we block on this since it can likely happen from content as well
Flags: blocking1.9.1? → blocking1.9.1+
Attached file assertion
Nothing happens to me if I run this from a started browser, but if I start up with ./firefox going directly to the page, I get the assertion in this attachment. chrome jit on.
Crashes 3.1b4pre build 20090314050040. http://crash-stats.mozilla.com/report/index/1e0110b5-ea03-47b6-9158-d154e2090314?p=1 I do have chrome jit on as well.
This seems to be fixed in the latest Tracemonkey branch build. (tested w/ WinXP & Linux)
Whiteboard: fixed-in-tracemonkey
Going to http://piro.sakura.ne.jp/index.html with 3.1b4pre build 20090315052502 still crashes. http://crash-stats.mozilla.com/report/index/cf208fd6-ff6c-4e80-ada8-a187c2090315 Vista Ultimate SP2 32bit and javascript.options.jit.chrome = true.
Blocks: 453668
This should be fixed in m-c now too, but not yet in Shiretoko. Look for fixed1.9.1 to mark that.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Keywords: fixed1.9.1
Verified fixed on trunk and 1.9.1 with builds on Windows and OS X: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090526 Minefield/3.6a1pre ID:20090526031623 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090526 Shiretoko/3.5pre ID:20090526031155
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Crash Signature: [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ] → [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Flags: wanted1.9.1?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: