Closed Bug 487317 Opened 16 years ago Closed 16 years ago

"Assertion failure: cx->builtinStatus == 0, at jstracer.cpp:3974" and crash at Facebook, using custom AdBlock filter ([@ js_AttemptToExtendTree], [@ SetStyleSheetReference], [@ js_MonitorLoopEdge], [@ js_DropObjectMap ])

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: dholbert, Unassigned)

References

()

Details

(Keywords: crash, regression, top500, Whiteboard: [see comment 5 to set up custom AdBlock filter])

Crash Data

I'm hitting an almost-immediate crash when logging into facebook with today's nightly. The first two times I tried, it crashed within seconds of logging in. The third time I tried, it didn't immediately crash -- but after reloading a few times, it did crash. (within 10 sec) Crash reports: http://crash-stats.mozilla.com/report/index/ee4cfb15-8e34-4c14-aa41-0e7c32090407 http://crash-stats.mozilla.com/report/index/6cddc844-1994-4d50-b84e-783f32090407 http://crash-stats.mozilla.com/report/index/e80b6f35-da89-44e1-98cc-bf4772090407 The crashes all seem to be at different spots, which is kind of scary. I'm guessing this is due to the Tracemonkey merge yesterday. (I haven't verified that that's the regression range, though.)
(In reply to comment #0) > I'm hitting an almost-immediate crash when logging into facebook with today's > nightly. User agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090407 Minefield/3.6a1pre
Just crashed again, this time in [@ js_DropObjectMap ]: http://crash-stats.mozilla.com/report/index/54727a47-ba91-4f48-87da-268892090407 I haven't been able to reproduce this with a fresh profile, though -- only my normal one. That might be a timing-related thing, with a fresh profile being too snappy to trigger whatever code path causes the badness...
Summary: Crash at facebook.com [@ js_AttemptToExtendTree], [@ SetStyleSheetReference], [@ js_MonitorLoopEdge] → Crash at facebook.com [@ js_AttemptToExtendTree], [@ SetStyleSheetReference], [@ js_MonitorLoopEdge], [@ js_DropObjectMap ]
can't repro on mac...
When running in a debug build, I reliably hit an assertion failure & subsequent abort when... (a) logging into facebook (b) restoring a session that's already logged in to facebook (and is loading facebook as one of the restored tabs) The error output is: Assertion failure: cx->builtinStatus == 0, at /mozilla/js/src/jstracer.cpp:3968 Trace/breakpoint trap
Ok -- I've isolated what differentiated my profile from a fresh profile. To reproduce this bug, do the following to a fresh profile: 1. Install the Adblock Plus extension (I'm using ver 1.0.1) 2. When Firefox restarts, select "EasyList (USA)" filter list 3. Add a custom rule to AdBlock Plus: (a) go to Tools | Adblock Plus Preferences (b) click "Add Filter" (c) Enter "http://creative.ak.facebook.com/ads3/" (no quotes) into the resulting textbox With these customization, I can reliably reproduce the assertion failure & abort in a debug build by logging in and then reloading if necessary. I also was just able to reproduce the crash in an optimized build using a customized fresh profile, with this crash report: http://crash-stats.mozilla.com/report/index/7857f66e-d0ea-4de7-b815-d72642090407
So, just to be clear -- comment 5 suggests that this crash is triggered (in part) by Facebook calling a JS function that's defined in a file that the AdBlock filter catches.
FWIW, the patch for bug 487271 didn't fix this. I just reproduced the assertion failure & "Trace/breakpoint trap" abort with an up-to-date debug build (at changeset 231e1b2519a2).
Summary: Crash at facebook.com [@ js_AttemptToExtendTree], [@ SetStyleSheetReference], [@ js_MonitorLoopEdge], [@ js_DropObjectMap ] → "Assertion failure: cx->builtinStatus == 0, at jstracer.cpp:3974" and crash at facebook [@ js_AttemptToExtendTree], [@ SetStyleSheetReference], [@ js_MonitorLoopEdge], [@ js_DropObjectMap ]
It looks like bug 484773 is filed on the "cx->builtinStatus == 0" assertion -- marking this as a dependency, in the hopes that this bug will go away when that's fixed.
Depends on: 484773
Keywords: top500
Summary: "Assertion failure: cx->builtinStatus == 0, at jstracer.cpp:3974" and crash at facebook [@ js_AttemptToExtendTree], [@ SetStyleSheetReference], [@ js_MonitorLoopEdge], [@ js_DropObjectMap ] → "Assertion failure: cx->builtinStatus == 0, at jstracer.cpp:3974" and crash at Facebook, using custom AdBlock filter ([@ js_AttemptToExtendTree], [@ SetStyleSheetReference], [@ js_MonitorLoopEdge], [@ js_DropObjectMap ])
Whiteboard: [see comment 5 to set up custom AdBlock filter]
still hitting this?
I can't reproduce anymore -- I'll try reverting to an older changeset to make sure I can still reproduce it there (to make sure I'm not doing anything differently)... assuming that works, I'll resolve as WFM.
I can't reproduce using an old debug build (at changeset 231e1b2519a2) anymore :-/ Note that I *used* to be able to reproduce the bug using that changeset, in comment 7. I think I'm doing everything the same on my end, so I think the relevant Facebook content has changed. So this is WORKSFORME, but possibly just because of a change on Facebook's end.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ js_AttemptToExtendTree] [@ SetStyleSheetReference] [@ js_MonitorLoopEdge] [@ js_DropObjectMap ]
You need to log in before you can comment on or make changes to this bug.