Closed
Bug 481302
Opened 12 years ago
Closed 12 years ago
TM: Crash on webpage with jit.chrome=true [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: alice0775, Unassigned)
References
()
Details
(Keywords: crash, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
2.33 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090303 Firefox/3.1b3pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090303 Minefield/3.2a1pre Crash When rloading of the page is completed. Reproducible: Always Steps to Reproduce: 1.Start Minefield with New Profile. 2.set javascript.options.jit.chrome to true in about:config. 3.Go URL Actual Results: Crash Minefield with the crash report. http://crash-stats.mozilla.com/report/index/8877ef0e-1f16-486f-95e8-8177b2090303?p=1 Expected Results: No crash. If javascript.options.jit.chrome not set to true, Minefield did not crash.
|
||
Comment 1•12 years ago
|
||
Confirmed with latest 3.1b3pre on Linux. bp-261825df-60ca-4a9c-a674-c40b02090303 Odd that it's the chrome JIT that is needed, and not the content JIT.
OS: Windows XP → All
Hardware: x86 → All
Summary: Crash [@ XPCWrappedNative::HasProto() ] → Crash with jit.chrome=true [@ XPCWrappedNative::HasProto() ]
|
|
||
Updated•12 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 2•12 years ago
|
||
I get the same stack as you on Windows XP, but get completely different stacks for Shiretoko and Minefield on Linux. 3.1b3pre and 3.2a1pre on Windows: bp-8877ef0e-1f16-486f-95e8-8177b2090303 0 xul.dll XPCWrappedNative::HasProto js/src/xpconnect/src/xpcprivate.h:2181 1 xul.dll XPCWrappedNative::GetProto js/src/xpconnect/src/xpcprivate.h:2187 2 xul.dll nsXPConnect::Traverse js/src/xpconnect/src/nsXPConnect.cpp:749 3 xul.dll xul.dll@0xa0299f 3.1b3pre on Linux: bp-261825df-60ca-4a9c-a674-c40b02090303 0 libmozjs.so JS_CallTracer js/src/jsgc.cpp:1086 1 libmozjs.so js_TraceObject js/src/jsobj.cpp:5489 2 libmozjs.so JS_TraceChildren js/src/jsgc.cpp:2428 3 libmozjs.so JS_CallTracer js/src/jsgc.cpp:2704 4 libxul.so TraceScopeJSObjects js/src/xpconnect/src/xpcwrappednativejsops.cpp:653 5 libmozjs.so js_TraceObject js/src/jsobj.cpp:5467 6 libmozjs.so JS_TraceChildren js/src/jsgc.cpp:2428 7 libmozjs.so JS_CallTracer js/src/jsgc.cpp:2704 8 libxul.so XPCWrappedNativeProto::TraceJS js/src/xpconnect/src/nsXPConnect.cpp:1985 9 libxul.so XPCWrappedNative::TraceJS js/src/xpconnect/src/xpcprivate.h:2339 10 libxul.so xpc_TraceForValidWrapper js/src/xpconnect/src/xpcwrappednativejsops.cpp:694 11 libxul.so XPC_WN_Shared_Trace js/src/xpconnect/src/xpcwrappednativejsops.cpp:706 12 libmozjs.so js_TraceObject js/src/jsobj.cpp:5467 13 libmozjs.so JS_TraceChildren js/src/jsgc.cpp:2428 14 libmozjs.so JS_CallTracer js/src/jsgc.cpp:2704 15 libmozjs.so js_TraceContext js/src/jsgc.cpp:3028 16 libmozjs.so js_TraceRuntime js/src/jsgc.cpp:3113 17 libmozjs.so js_GC js/src/jsgc.cpp:3521 18 libmozjs.so JS_GC js/src/jsapi.cpp:2499 19 libxul.so nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:478 20 libxul.so nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:2256 21 libxul.so nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:2904 ... ... 3.2a1pre on Linux: bp-6854e97b-d717-426a-8ab6-d19ad2090303 0 libxul.so WrapperIsNotMainThreadOnly js/src/xpconnect/src/xpcprivate.h:2187 1 libxul.so nsXPConnect::Traverse js/src/xpconnect/src/nsXPConnect.cpp:749 2 libxul.so GCGraphBuilder::Traverse xpcom/base/nsCycleCollector.cpp:1319 3 libxul.so nsCycleCollector::MarkRoots xpcom/base/nsCycleCollector.cpp:1519 4 libxul.so nsCycleCollector::BeginCollection xpcom/base/nsCycleCollector.cpp:2374 5 libxul.so nsCycleCollector_beginCollection xpcom/base/nsCycleCollector.cpp:2916 6 libxul.so XPCCycleCollectGCCallback js/src/xpconnect/src/nsXPConnect.cpp:391 7 libmozjs.so js_GC js/src/jsgc.cpp:3532 8 libmozjs.so JS_GC js/src/jsapi.cpp:2498 9 libxul.so nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:478 10 libxul.so nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:2256 11 libxul.so nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:2904 ... ...
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: Crash with jit.chrome=true [@ XPCWrappedNative::HasProto() ] → TM: Crash on webpage with jit.chrome=true [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Version: unspecified → 1.9.1 Branch
|
|
||
Updated•12 years ago
|
Version: 1.9.1 Branch → Trunk
|
Reporter | |
Comment 3•12 years ago
|
||
Regression range: No Crash: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090216 Minefield/3.2a1pre Crash: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090217 Minefield/3.2a1pre Changesets between the above regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-02-16+04%3A29%3A18&enddate=2009-02-17+03%3A32%3A29
|
||
Comment 4•12 years ago
|
||
I can confirm the crash using the steps in comment 0. with jit.chrome enabled, the URL will crash after trying to fully load. with jit.chrome disabled, the site loads without crashing. http://crash-stats.mozilla.com/report/index/32d3847b-da41-40d7-ad81-544ea2090305?p=1
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Priority: -- → P2
|
||
Comment 5•12 years ago
|
||
bsmedberg suggested we block on this since it can likely happen from content as well
Flags: blocking1.9.1? → blocking1.9.1+
|
||
Comment 6•12 years ago
|
||
Nothing happens to me if I run this from a started browser, but if I start up with ./firefox going directly to the page, I get the assertion in this attachment. chrome jit on.
|
||
Comment 7•12 years ago
|
||
Crashes 3.1b4pre build 20090314050040. http://crash-stats.mozilla.com/report/index/1e0110b5-ea03-47b6-9158-d154e2090314?p=1 I do have chrome jit on as well.
|
|
||
Comment 8•12 years ago
|
||
This seems to be fixed in the latest Tracemonkey branch build. (tested w/ WinXP & Linux)
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 10•12 years ago
|
||
Going to http://piro.sakura.ne.jp/index.html with 3.1b4pre build 20090315052502 still crashes. http://crash-stats.mozilla.com/report/index/cf208fd6-ff6c-4e80-ada8-a187c2090315 Vista Ultimate SP2 32bit and javascript.options.jit.chrome = true.
|
|
||
Comment 11•12 years ago
|
||
This should be fixed in m-c now too, but not yet in Shiretoko. Look for fixed1.9.1 to mark that.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
Keywords: fixed1.9.1
|
||
Comment 12•12 years ago
|
||
Verified fixed on trunk and 1.9.1 with builds on Windows and OS X: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090526 Minefield/3.6a1pre ID:20090526031623 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090526 Shiretoko/3.5pre ID:20090526031155
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
|
||
Updated•10 years ago
|
Crash Signature: [@ XPCWrappedNative::HasProto() ]
[@ JS_CallTracer ]
[@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
|
|
||
Updated•8 years ago
|
Crash Signature: [@ XPCWrappedNative::HasProto() ]
[@ JS_CallTracer ]
[@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ] → [@ XPCWrappedNative::HasProto() ]
[@ JS_CallTracer ]
[@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Flags: wanted1.9.1?
You need to log in
before you can comment on or make changes to this bug.
Description
•