Closed Bug 481302 Opened 12 years ago Closed 12 years ago

TM: Crash on webpage with jit.chrome=true [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]

Categories

(Core :: JavaScript Engine, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9.2a1

People

(Reporter: alice0775, Unassigned)

References

()

Details

(Keywords: crash, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090303 Firefox/3.1b3pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090303 Minefield/3.2a1pre

Crash When rloading of the page is completed.

Reproducible: Always

Steps to Reproduce:
1.Start Minefield with New Profile.
2.set javascript.options.jit.chrome to true in about:config.
3.Go URL
Actual Results:  
Crash Minefield with the crash report.
http://crash-stats.mozilla.com/report/index/8877ef0e-1f16-486f-95e8-8177b2090303?p=1

Expected Results:  
No crash.

If javascript.options.jit.chrome not set to true, Minefield did not crash.
Confirmed with latest 3.1b3pre on Linux.
bp-261825df-60ca-4a9c-a674-c40b02090303

Odd that it's the chrome JIT that is needed, and not the content JIT.
OS: Windows XP → All
Hardware: x86 → All
Summary: Crash [@ XPCWrappedNative::HasProto() ] → Crash with jit.chrome=true [@ XPCWrappedNative::HasProto() ]
Status: UNCONFIRMED → NEW
Ever confirmed: true
I get the same stack as you on Windows XP, but get completely different stacks for Shiretoko and Minefield on Linux.

3.1b3pre and 3.2a1pre on Windows:
bp-8877ef0e-1f16-486f-95e8-8177b2090303
0  	xul.dll  	XPCWrappedNative::HasProto  	 js/src/xpconnect/src/xpcprivate.h:2181
1 	xul.dll 	XPCWrappedNative::GetProto 	js/src/xpconnect/src/xpcprivate.h:2187
2 	xul.dll 	nsXPConnect::Traverse 	js/src/xpconnect/src/nsXPConnect.cpp:749
3 	xul.dll 	xul.dll@0xa0299f 

3.1b3pre on Linux:
bp-261825df-60ca-4a9c-a674-c40b02090303
0  	libmozjs.so  	JS_CallTracer  	js/src/jsgc.cpp:1086
1 	libmozjs.so 	js_TraceObject 	js/src/jsobj.cpp:5489
2 	libmozjs.so 	JS_TraceChildren 	js/src/jsgc.cpp:2428
3 	libmozjs.so 	JS_CallTracer 	js/src/jsgc.cpp:2704
4 	libxul.so 	TraceScopeJSObjects 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:653
5 	libmozjs.so 	js_TraceObject 	js/src/jsobj.cpp:5467
6 	libmozjs.so 	JS_TraceChildren 	js/src/jsgc.cpp:2428
7 	libmozjs.so 	JS_CallTracer 	js/src/jsgc.cpp:2704
8 	libxul.so 	XPCWrappedNativeProto::TraceJS 	js/src/xpconnect/src/nsXPConnect.cpp:1985
9 	libxul.so 	XPCWrappedNative::TraceJS 	js/src/xpconnect/src/xpcprivate.h:2339
10 	libxul.so 	xpc_TraceForValidWrapper 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:694
11 	libxul.so 	XPC_WN_Shared_Trace 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:706
12 	libmozjs.so 	js_TraceObject 	js/src/jsobj.cpp:5467
13 	libmozjs.so 	JS_TraceChildren 	js/src/jsgc.cpp:2428
14 	libmozjs.so 	JS_CallTracer 	js/src/jsgc.cpp:2704
15 	libmozjs.so 	js_TraceContext 	js/src/jsgc.cpp:3028
16 	libmozjs.so 	js_TraceRuntime 	js/src/jsgc.cpp:3113
17 	libmozjs.so 	js_GC 	js/src/jsgc.cpp:3521
18 	libmozjs.so 	JS_GC 	js/src/jsapi.cpp:2499
19 	libxul.so 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:478
20 	libxul.so 	nsCycleCollector::Collect 	xpcom/base/nsCycleCollector.cpp:2256
21 	libxul.so 	nsCycleCollector_collect 	xpcom/base/nsCycleCollector.cpp:2904
...
...

3.2a1pre on Linux:
bp-6854e97b-d717-426a-8ab6-d19ad2090303
0  	libxul.so  	WrapperIsNotMainThreadOnly  	 js/src/xpconnect/src/xpcprivate.h:2187
1 	libxul.so 	nsXPConnect::Traverse 	js/src/xpconnect/src/nsXPConnect.cpp:749
2 	libxul.so 	GCGraphBuilder::Traverse 	xpcom/base/nsCycleCollector.cpp:1319
3 	libxul.so 	nsCycleCollector::MarkRoots 	xpcom/base/nsCycleCollector.cpp:1519
4 	libxul.so 	nsCycleCollector::BeginCollection 	xpcom/base/nsCycleCollector.cpp:2374
5 	libxul.so 	nsCycleCollector_beginCollection 	xpcom/base/nsCycleCollector.cpp:2916
6 	libxul.so 	XPCCycleCollectGCCallback 	js/src/xpconnect/src/nsXPConnect.cpp:391
7 	libmozjs.so 	js_GC 	js/src/jsgc.cpp:3532
8 	libmozjs.so 	JS_GC 	js/src/jsapi.cpp:2498
9 	libxul.so 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:478
10 	libxul.so 	nsCycleCollector::Collect 	xpcom/base/nsCycleCollector.cpp:2256
11 	libxul.so 	nsCycleCollector_collect 	xpcom/base/nsCycleCollector.cpp:2904
...
...
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: Crash with jit.chrome=true [@ XPCWrappedNative::HasProto() ] → TM: Crash on webpage with jit.chrome=true [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Version: unspecified → 1.9.1 Branch
Version: 1.9.1 Branch → Trunk
Regression range:
No Crash:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090216 Minefield/3.2a1pre

Crash:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090217 Minefield/3.2a1pre

Changesets between the above regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-02-16+04%3A29%3A18&enddate=2009-02-17+03%3A32%3A29
I can confirm the crash using the steps in comment 0.  with jit.chrome enabled, the URL will crash after trying to fully load.  with jit.chrome disabled, the site loads without crashing.

http://crash-stats.mozilla.com/report/index/32d3847b-da41-40d7-ad81-544ea2090305?p=1
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Priority: -- → P2
bsmedberg suggested we block on this since it can likely happen from content as well
Flags: blocking1.9.1? → blocking1.9.1+
Attached file assertion
Nothing happens to me if I run this from a started browser, but if I start up with ./firefox going directly to the page, I get the assertion in this attachment.

chrome jit on.
Crashes 3.1b4pre build 20090314050040.

http://crash-stats.mozilla.com/report/index/1e0110b5-ea03-47b6-9158-d154e2090314?p=1

I do have chrome jit on as well.
This seems to be fixed in the latest Tracemonkey branch build.
(tested w/ WinXP & Linux)
Whiteboard: fixed-in-tracemonkey
Duplicate of this bug: 483485
Going to http://piro.sakura.ne.jp/index.html with 3.1b4pre build 20090315052502 still crashes.

http://crash-stats.mozilla.com/report/index/cf208fd6-ff6c-4e80-ada8-a187c2090315

Vista Ultimate SP2 32bit and javascript.options.jit.chrome = true.
Blocks: 453668
This should be fixed in m-c now too, but not yet in Shiretoko. Look for fixed1.9.1 to mark that.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Keywords: fixed1.9.1
Verified fixed on trunk and 1.9.1 with builds on Windows and OS X:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090526 Minefield/3.6a1pre ID:20090526031623

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090526 Shiretoko/3.5pre ID:20090526031155
Status: RESOLVED → VERIFIED
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Crash Signature: [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ] → [@ XPCWrappedNative::HasProto() ] [@ JS_CallTracer ] [@ WrapperIsNotMainThreadOnly(XPCWrappedNative*) ]
Flags: wanted1.9.1?
You need to log in before you can comment on or make changes to this bug.