Closed
Bug 487271
Opened 14 years ago
Closed 14 years ago
Crash and missing google-maps background at padmapper.com [@ js_Invoke][@ JS_CallTracer]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: dholbert, Assigned: brendan)
References
()
Details
(Keywords: crash, regression, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(3 files, 2 obsolete files)
STR: 1. Visit URL 2. Reload a bunch of times EXPECTED RESULTS The page background should be a giant google maps canvas. Also, it shouldn't crash. ACTUAL RESULTS: Page background is missing, and it crashes after a few reloads. (Sometimes on the first reload, sometimes requires more, but so far I've been able to trigger a crash within ~15 sec of reloading) http://crash-stats.mozilla.com/report/index/1be46faf-11a7-416b-9603-f60042090407 http://crash-stats.mozilla.com/report/index/62f95713-bd04-4cb7-b4e1-f704d2090407 http://crash-stats.mozilla.com/report/index/82c40099-f231-40b9-ae2f-166642090407 Both issues (missing background and crash) appear to be new regressions in today's nightly. BROKEN: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090407 Minefield/3.6a1pre WORKING: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090406 Minefield/3.6a1pre Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b14428284d51&tochange=f0507c4d0abb Looks likely to be a regression from sayrer's tracemonkey merge.
Reporter | ||
Comment 1•14 years ago
|
||
Related to bug 487238? (that bug mentions some crashes at js_invoke, as well as other spots, for a different URL)
Keywords: regression
Reporter | ||
Comment 2•14 years ago
|
||
FWIW, I hit this crash with jit.content disabled, too. http://crash-stats.mozilla.com/report/index/f61b8200-ea30-48e5-8e4c-30dbb2090407
Comment 3•14 years ago
|
||
This fixes the first bug here, but there's more. brendan and I think that there's an eval that the analysis can't see through that is letting a function ('u' in this case) escape, making it a funarg. brendan is going to write a patch to eagerly mark all sub-functions of a heavyweight (eval-using) function as a funarg.
Comment 4•14 years ago
|
||
Updated•14 years ago
|
Assignee: general → brendan
Assignee | ||
Comment 5•14 years ago
|
||
Embarrassing, considering I implemented the display for upvars, part un. The eval thing was a case of me thinking the HEAVYWEIGHT flag poisoned the well, but it's not so. In a tree of functions T, with subtree S rooted at a function F that is a sibling of an eval callsite E, code eval'd by E cannot see F's kids, but it can certainly see F and help it escape. E can also see up the tree to all functions in enclosing functions. There can be more than one such F sibling, too, of course, and hoisting means E can facilitate the escape of any. /be
Status: NEW → ASSIGNED
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b4
Assignee | ||
Comment 6•14 years ago
|
||
Also, amazing how much works if you assume dynamic and static link are equivalent. Shallow is better than deep. /be
Assignee | ||
Updated•14 years ago
|
Flags: in-testsuite?
Assignee | ||
Comment 7•14 years ago
|
||
Assignee | ||
Comment 8•14 years ago
|
||
Attachment #371598 -
Attachment is obsolete: true
Attachment #371623 -
Flags: review?(mrbkap)
Assignee | ||
Comment 9•14 years ago
|
||
I browsed google maps, ran SunSpider in-browser, used gmail... /be
Attachment #371623 -
Attachment is obsolete: true
Attachment #371638 -
Flags: review?(mrbkap)
Attachment #371623 -
Flags: review?(mrbkap)
Updated•14 years ago
|
Attachment #371638 -
Flags: review?(mrbkap) → review+
Comment 11•14 years ago
|
||
Bug 487445 might be a dupe
Updated•14 years ago
|
Severity: normal → critical
Assignee | ||
Comment 12•14 years ago
|
||
Fixed in tm: http://hg.mozilla.org/tracemonkey/rev/c78d2d3532c1 I'll get it into m-c as soon as an incremental build is done with it and tested by folks looking for a fix. Thanks, /be
Severity: critical → normal
Whiteboard: fixed-in-tracemonkey
Comment 13•14 years ago
|
||
Testing with latest TM build, seems to fix the crashes... Vista HP SP1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090408 Minefield/3.6a1pre Firefox/3.0.7 ID:20090408134409 <- TM hourly build
Comment 14•14 years ago
|
||
Built tm with the patch, loaded Google maps, docs, mail, reader and calendar without crashing. Poked around each app for a few min without any noticeable issues.
Assignee | ||
Comment 16•14 years ago
|
||
Andreas, any thoughts on the red linux talos box: http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1239222899.1239226027.11474.gz&fulltext=1 Stack excerpt: Crash reason: SIGSEGV Crash address: 0xb715eb04 Thread 0 (crashed) 0 libmozjs.so!nanojit::StackFilter::read() [LIR.h:c78d2d3532c1 : 329 + 0x0] eip = 0xb715eb04 esp = 0xbfcc84f0 ebp = 0xbfcc8508 ebx = 0xb7170d34 esi = 0xaec19060 edi = 0xbfcc8624 eax = 0xaec19060 ecx = 0x0000000b edx = 0xb0c19064 efl = 0x00210286 1 libmozjs.so!nanojit::StackFilter::read() [LIR.cpp:c78d2d3532c1 : 1177 + 0xe] eip = 0xb715ea79 esp = 0xbfcc8510 ebp = 0xbfcc8538 2 libmozjs.so!nanojit::DeadCodeFilter::read() [Assembler.cpp:c78d2d3532c1 : 81 + 0xb] eip = 0xb7159d14 esp = 0xbfcc8540 ebp = 0xbfcc8558 3 libmozjs.so!nanojit::Assembler::gen(nanojit::LirFilter*, avmplus::List<unsigned char*, (avmplus::ListElementType)0>&) [Assembler.cpp:c78d2d3532c1 : 1075 + 0xb] eip = 0xb71592e9 esp = 0xbfcc8560 ebp = 0xbfcc85a8 4 libmozjs.so!nanojit::Assembler::assemble(nanojit::Fragment*, avmplus::List<unsigned char*, (avmplus::ListElementType)0>&) [Assembler.cpp:c78d2d3532c1 : 849 + 0x6] eip = 0xb715941b esp = 0xbfcc85b0 ebp = 0xbfcc8648 5 libmozjs.so!nanojit::compile(nanojit::Assembler*, nanojit::Fragment*) [LIR.cpp:c78d2d3532c1 : 2147 + 0xd] eip = 0xb715c295 esp = 0xbfcc8650 ebp = 0xbfcc86a8 6 libmozjs.so!TraceRecorder::compile(JSTraceMonitor*) [jstracer.cpp:c78d2d3532c1 : 2570 + 0x19] eip = 0xb7146473 esp = 0xbfcc86b0 ebp = 0xbfcc86d8 7 libmozjs.so!TraceRecorder::closeLoop(JSTraceMonitor*, bool&) [jstracer.cpp:c78d2d3532c1 : 2706 + 0xc] eip = 0xb714feab esp = 0xbfcc86e0 ebp = 0xbfcc8728 8 libmozjs.so!TraceRecorder::checkTraceEnd(unsigned char*) [jstracer.cpp:c78d2d3532c1 : 3006 + 0x10] eip = 0xb714ffcc esp = 0xbfcc8730 ebp = 0xbfcc8768 9 libmozjs.so!TraceRecorder::ifop() [jstracer.cpp:c78d2d3532c1 : 5240 + 0xa] eip = 0xb7150cfd esp = 0xbfcc8770 ebp = 0xbfcc87a8 10 libmozjs.so!TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) [jstracer.cpp:c78d2d3532c1 : 6468 + 0x8] eip = 0xb7155a57 esp = 0xbfcc87b0 ebp = 0xbfcc87d8 . . . /be
Comment 18•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/c78d2d3532c1
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Reporter | ||
Comment 19•14 years ago
|
||
VERIFIED FIXED in today's nightly, using STR from comment 0. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090409 Minefield/3.6a1pre Thanks!
Status: RESOLVED → VERIFIED
Comment 21•14 years ago
|
||
This also fixed a crash in @JS_CallTracer (bp-c8739b46-9527-4375-b78c-0dd6c2090407) which I was able to see in bug 487238 and which was duped against this one. Updating summary.
OS: Linux → All
Hardware: x86 → All
Summary: Crash [@ js_Invoke ], and missing google-maps background, at padmapper.com → Crash and missing google-maps background at padmapper.com [@ js_Invoke][@ JS_CallTracer]
Target Milestone: mozilla1.9.1b4 → mozilla1.9.2a1
Comment 22•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/add3cb14f9d2
Keywords: fixed1.9.1
Comment 23•14 years ago
|
||
Either bug 487271, bug 487534 or bug 487271 caused bug 488843.
Comment 24•14 years ago
|
||
I'm not able to crash Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090420 Shiretoko/3.5b4pre ID:20090420031111. I assume it is fixed on 1.9.1 too.
Severity: normal → critical
Keywords: fixed1.9.1 → verified1.9.1
Updated•12 years ago
|
Crash Signature: [@ js_Invoke]
[@ JS_CallTracer]
You need to log in
before you can comment on or make changes to this bug.
Description
•