Closed Bug 486117 Opened 15 years ago Closed 15 years ago

random crash [@ nanojit::Assembler::asm_ld] during pageload test

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: dbaron, Unassigned)

References

Details

(Keywords: intermittent-failure) 

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1238474182.1238482182.7955.gz shows a crash on the Firefox tinderbox (mozilla-central) during the pageload test (on "WINNT 5.1 talos mozilla-central qm-pxp-trunk01 on 2009/03/30 21:36:22"):

Operating system: Windows NT
                  5.1.2600 Service Pack 2
CPU: x86
     GenuineIntel family 6 model 15 stepping 2
     2 CPUs

Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x1987c24

Thread 0 (crashed)
 0  js3250.dll!nanojit::Assembler::asm_ld(nanojit::LIns *) [Nativei386.cpp:a45593185b3a : 1145 + 0x11]
    eip = 0x002f0862   esp = 0x0012f438   ebp = 0x03987c28   ebx = 0x05987cf0
    esi = 0x007b7000   edi = 0x03987c28   eax = 0x00000003   ecx = 0xff800000
    edx = 0x01987c24   efl = 0x00010206
 1  js3250.dll!nanojit::DeadCodeFilter::read() [Assembler.cpp:a45593185b3a : 81 + 0x17]
    eip = 0x002f270c   esp = 0x0012f454   ebp = 0x00158a28
 2  js3250.dll!nanojit::Assembler::gen(nanojit::LirFilter *,avmplus::List<unsigned char *,0> &) [Assembler.cpp:a45593185b3a : 1195 + 0x7]
    eip = 0x002f10b5   esp = 0x0012f45c   ebp = 0x00158a28
 3  js3250.dll!TraceRecorder::set(int *,nanojit::LIns *,bool) [jstracer.cpp:a45593185b3a : 1931 + 0x28]
    eip = 0x003149f1   esp = 0x0012f578   ebp = 0x007b7000


The last output from the pageloader was:

NOISE: Cycle 4: loaded http://localhost/page_load_test/pages/www.nih.gov/www.nih.gov/index.html (next: http://localhost/pa

(some sort of bufferring problem cut off part of the page that was next, I suppose, although given that buffering problem, we don't really know that there weren't more pages in the middle)
Whiteboard: [orange]
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1238856615.1238865894.16148.gz&fulltext=1

Last output (showed up after stack):
NOISE: Cycle 8: loaded http://localhost/page_load_test/pages/www.fanfiction.net/www.fanfiction.net/index.html (next: http://localhost/page_load_test/pages/www.msn.com.hk/www.msn.com.hk/Default.asp.html)

Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x2291abc

Thread 0 (crashed)
 0  js3250.dll!nanojit::Assembler::asm_ld(nanojit::LIns *) [Nativei386.cpp:fec668a58714 : 1144 + 0x1d]
    eip = 0x6d87fe86   esp = 0x0029ec50   ebp = 0x04291ac4   ebx = 0x02291abc
    esi = 0x008bb000   edi = 0x04291ac4   eax = 0x00000003   ecx = 0xff800000
    edx = 0x00000008   efl = 0x00010202
 1  js3250.dll!nanojit::DeadCodeFilter::read() [Assembler.cpp:fec668a58714 : 81 + 0x17]
    eip = 0x6d881d8c   esp = 0x0029ec6c   ebp = 0x00000000
 2  js3250.dll!nanojit::Assembler::gen(nanojit::LirFilter *,avmplus::List<unsigned char *,0> &) [Assembler.cpp:fec668a58714 : 1195 + 0x7]
    eip = 0x6d880725   esp = 0x0029ec74   ebp = 0x00000000
 3  js3250.dll!nanojit::Assembler::assemble(nanojit::Fragment *,avmplus::List<unsigned char *,0> &) [Assembler.cpp:fec668a58714 : 849 + 0x33]
    eip = 0x6d878b53   esp = 0x0029ed94   ebp = 0x008bb000

Slightly different stack, same problem?
Blocks: 438871
Different stack - same bug?

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1239731588.1239739548.31769.gz&fulltext=1

Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0x1383fe0

Thread 0 (crashed)
 0  js3250.dll!nanojit::Assembler::asm_ld(nanojit::LIns *) [Nativei386.cpp:7b4e5f6006a3 : 974 + 0x11]
    eip = 0x002fb991   esp = 0x0012f3b0   ebp = 0x007b7000   ebx = 0x003ff40c
    esi = 0x01383fe0   edi = 0x03383fe4   eax = 0x00000003   ecx = 0x0000000c
    edx = 0xff800000   efl = 0x00010202
 1  js3250.dll!nanojit::Assembler::gen(nanojit::LirFilter *,avmplus::List<unsigned char *,0> &) [Assembler.cpp:7b4e5f6006a3 : 1195 + 0x7]
    eip = 0x002f94f5   esp = 0x0012f3dc   ebp = 0x0012f520
 2  js3250.dll!nanojit::Assembler::assemble(nanojit::Fragment *,avmplus::List<unsigned char *,0> &) [Assembler.cpp:7b4e5f6006a3 : 849 + 0x33]
    eip = 0x002f3ea3   esp = 0x0012f4fc   ebp = 0x00000004
 3  js3250.dll!nanojit::compile(nanojit::Assembler *,nanojit::Fragment *) [LIR.cpp:7b4e5f6006a3 : 2147 + 0xd]
    eip = 0x002f40f6   esp = 0x0012f594   ebp = 0x007b7000
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox3.5/1243435907.1243443541.7090.gz&fulltext=1

WINNT 6.0 talos mozilla-1.9.1 qm-pvista-talos02 on 2009/05/27 07:51:47


Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0xffffffffff841210

Thread 0 (crashed)
 0  js3250.dll!nanojit::Assembler::asm_ld(nanojit::LIns *) [Nativei386.cpp:3a458536d553 : 974 + 0x11]
    eip = 0x6d46e510   esp = 0x002ff05c   ebp = 0x018410b0   ebx = 0x0000000c
    esi = 0x00bb1000   edi = 0x01841214   eax = 0x00000003   ecx = 0xff800000
    edx = 0xff841210   efl = 0x00010282
 1  js3250.dll!nanojit::DeadCodeFilter::read() [Assembler.cpp:3a458536d553 : 81 + 0x9]
    eip = 0x6d46deae   esp = 0x002ff07c   ebp = 0x00000000
 2  js3250.dll!nanojit::Assembler::gen(nanojit::LirFilter *,avmplus::List<unsigned char *,0> &) [Assembler.cpp:3a458536d553 : 1488 + 0xf]
    eip = 0x6d46e033   esp = 0x002ff088   ebp = 0x00000000
 3  js3250.dll!nanojit::Assembler::assemble(nanojit::Fragment *,avmplus::List<unsigned char *,0> &) [Assembler.cpp:3a458536d553 : 850 + 0x33]
    eip = 0x6d479105   esp = 0x002ff09c   ebp = 0x00000004
If we just run this test over and over, can we get it to trip frequently? graydon might be able to give us some cheap instrumentation to help us find the underlying (and FF3.5-blocking) crasher...
Sounds like this hasn't happened for a few months.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.