TM: Crash when repeatedly clicking "up" video list navigation, if Linkification extension is installed [@ js3250.dll@0x90ff3 ]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P2
critical
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: IU, Unassigned)

Tracking

({crash, regression})

Trunk
x86
Windows XP
crash, regression
Points:
---
Bug Flags:
blocking1.9.2 +

Firefox Tracking Flags

(status1.9.2 beta1-fixed)

Details

(Whiteboard: Regression range in comment #2 (MC) and in comment #5 (TM), crash signature, URL)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090305 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090305 Minefield/3.2a1pre

With the Linkification extension installed, JIT chrome enabled, and the ABC News video player loaded (the linked URL), if one rapidly clicks the scroll "up" video list navigation arrow on the left-hand side, Minefield crashes with the signature: [@ js3250.dll@0x90ff3 ]: http://crash-stats.mozilla.com/report/index/d30e4c4d-64aa-4960-920e-896982090305

This crash also happens with the latest Tracemonkey nightly build, but the signature is slightly different: [@ js_Interpret ]: http://crash-stats.mozilla.com/report/index/864d61bd-48bb-4247-9697-70edf2090305

The crash occurs only if JIT chrome is enabled.

Reproducible: Always

Steps to Reproduce:
1. Set javascript.options.jit.chrome to: true
2. Install Linkification 3.5 and restart: https://addons.mozilla.org/en-US/firefox/addon/190
3. Visit the linked URL
4. Once the media player window has fully loaded, quickly and repeatedly click the medial list scroll up arrow on the left-hand side of the media player page, until the browser crashes.
5. Try again with JIT chrome disabled.  Browser does not crash.

Actual Results:  
Browser crashes


Expected Results:  
Should function the same as when JIT chrome is not enabled (i.e. should not crash).
(Reporter)

Updated

9 years ago
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
Version: unspecified → Trunk
(Reporter)

Updated

9 years ago
Flags: blocking1.9.2?

Updated

9 years ago
Assignee: nobody → general
QA Contact: general → general
(Reporter)

Comment 1

9 years ago
Is there no one who can confirm this?  I should be easy to reproduce.
(Reporter)

Updated

9 years ago
Blocks: 453668
(Reporter)

Comment 2

9 years ago
Regression range:

Works:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090228 Minefield/3.2a1pre ID:20090228034747
http://hg.mozilla.org/mozilla-central/rev/f3d5f4a980a0

Fails:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090301 Minefield/3.2a1pre ID:20090301035004
http://hg.mozilla.org/mozilla-central/rev/ad8d75516c5e
Keywords: regression
Whiteboard: Regression range in comment #2
(Reporter)

Comment 3

9 years ago
0  	js3250.dll  	js3250.dll@0x90ff3  	
1 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1330
2 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608
3 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
4 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
5 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
6 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1079
7 	xul.dll 	xul.dll@0x3277f9 	
8 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:315
9 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:508
10 		@0x402ffff
bp-1f3b9ba6-ac81-45b6-ac19-821bd2090317 with
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090317 Minefield/3.6a1pre ID:20090317101214

works:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090226 Minefield/3.2a1pre ID:20090226023759
http://hg.mozilla.org/tracemonkey/rev/aea34f524423
fails:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090227 Minefield/3.2a1pre ID:20090227021444
http://hg.mozilla.org/tracemonkey/rev/737ca70d654f

=> bp-f5992c8e-ee92-44c4-bbf8-32c402090317
Signature	js_Interpret
UUID	f5992c8e-ee92-44c4-bbf8-32c402090317
Time 	2009-03-17 00:00:00
Uptime	26
Last Crash	655 seconds before submission
Product	Firefox
Version	3.2a1pre
Build ID	20090227021444
Branch	1.9.2
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
User Comments	again Bug 481804 test
Processor Notes 
0 	js3250.dll 	js_Interpret 	js/src/jsinterp.cpp:3673
1 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1336
2 	xul.dll 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*,unsigned short,XPTMethodDescriptor const*,nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608
3 	xul.dll 	nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const*,nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
4 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
5 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
6 	xul.dll 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*,nsIDOMEventListener*,nsIDOMEvent*,nsPIDOMEventTarget*,unsigned int) 	content/events/src/nsEventListenerManager.cpp:1079
7 	xul.dll 	xul.dll@0x7817c7 

=> range:
http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=aea34f524423&tochange=737ca70d654f
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: Regression range in comment #2 → Regression range in comment #2 (MC) and in comment #5 (TM)

Updated

9 years ago
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2

Comment 6

9 years ago
we still have this bug?
(Reporter)

Comment 8

9 years ago
Confirmed fixed.  Not sure when it would have been fixed, but I can no longer reproduce as of http://hg.mozilla.org/mozilla-central/rev/51f332235f14

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090803 Minefield/3.6a1pre ID:20090803044626
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
status1.9.2: --- → beta1-fixed
Keywords: fixed1.9.2
Crash Signature: [@ js3250.dll@0x90ff3 ]
You need to log in before you can comment on or make changes to this bug.