Closed Bug 490632 Opened 11 years ago Closed 10 years ago

Crash [@ FuncFilter::ins2(nanojit::LOpcode,nanojit::LIns *,nanojit::LIns *)] on Talos

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: ehsan, Unassigned)

References

()

Details

(Keywords: crash, intermittent-failure)

Crash Data

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1241001514.1241012124.25241.gz

This crash happened on an XP Talos box, and it's intermittent since other Talos runs from the same revision <http://hg.mozilla.org/mozilla-central/rev/fc3def2eef99> (including two previous runs on the same box) were not affected.

Stack follows:

 0  js3250.dll!FuncFilter::ins2(nanojit::LOpcode,nanojit::LIns *,nanojit::LIns *) [jstracer.cpp:fc3def2eef99 : 902 + 0x73]
    eip = 0x00333020   esp = 0x0012f618   ebp = 0x0012f64c   ebx = 0x011f18c0
    esi = 0x0000002a   edi = 0x011f1894   eax = 0x00000003   ecx = 0xff1f18bc
    edx = 0xff1f18bc   efl = 0x00010282
 1  js3250.dll!TraceRecorder::alu(nanojit::LOpcode,double,double,nanojit::LIns *,nanojit::LIns *) [jstracer.cpp:fc3def2eef99 : 5277 + 0x10]
    eip = 0x0033b38e   esp = 0x0012f654   ebp = 0x011f1894
 2  js3250.dll!TraceRecorder::binary(nanojit::LOpcode) [jstracer.cpp:fc3def2eef99 : 5980 + 0x18]
    eip = 0x0033b8bb   esp = 0x0012f680   ebp = 0x0012f6f4
 3  js3250.dll!TraceRecorder::monitorRecording(JSContext *,TraceRecorder *,JSOp) [jsopcode.tbl:fc3def2eef99 : 134 + 0x8]
    eip = 0x0032e0db   esp = 0x0012f6fc   ebp = 0x0012f72c
 4  js3250.dll!js_Interpret [jsinterp.cpp:fc3def2eef99 : 3015 + 0x7]
    eip = 0x00323af5   esp = 0x0012f734   ebp = 0x0012f92c
 5  js3250.dll!js_Execute [jsinterp.cpp:fc3def2eef99 : 1599 + 0x5]
    eip = 0x00304893   esp = 0x0012f934   ebp = 0x00000000
 6  js3250.dll!JS_EvaluateUCScriptForPrincipals [jsapi.cpp:fc3def2eef99 : 5165 + 0x10]
    eip = 0x002f01e1   esp = 0x0012f9b8   ebp = 0x0012f9d8
 7  xul.dll!nsJSContext::EvaluateString(nsAString_internal const &,void *,nsIPrincipal *,char const *,unsigned int,unsigned int,nsAString_internal *,int *) [nsJSEnvironment.cpp:fc3def2eef99 : 1603 + 0x45]
    eip = 0x1005d9cd   esp = 0x0012f9e0   ebp = 0x0012fa4c
 8  xul.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString const &) [nsScriptLoader.cpp:fc3def2eef99 : 686 + 0x3b]
    eip = 0x1006343e   esp = 0x0012fa54   ebp = 0x0012fb00
 9  xul.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest *) [nsScriptLoader.cpp:fc3def2eef99 : 600 + 0x9]
    eip = 0x101ad3e5   esp = 0x0012fb08   ebp = 0x0012fb3c
10  xul.dll!nsCOMArray_base::RemoveObject(nsISupports *) [nsCOMArray.cpp:fc3def2eef99 : 129 + 0x9]
    eip = 0x10028b4d   esp = 0x0012fba8   ebp = 0x0012fb3c
11  xul.dll + 0x3ab9f7
    eip = 0x103ab9f8   esp = 0x0012fbb8   ebp = 0x0012fb3c
Whiteboard: [orange]
Apparently it crashed at http://hg.mozilla.org/mozilla-central/annotate/fc3def2eef99/js/src/jstracer.cpp#l902

This line of code still exists:
http://hg.mozilla.org/mozilla-central/annotate/14b3ba7b71ae/js/src/jstracer.cpp#l1518

Andreas, can you figure this out based on the stack trace, or should we mark this as INCO (not enough information) / WFM (not still happening on Tinderbox)?
Whiteboard: [orange] → [orange] [needs stack evaluated for usefulness - tracemonkey]
Though those all seem to have frame #1 as TraceRecorder::relational rather than what's in comment 0.  Does that make it a different bug?
gal says he can't tell what the bug is based on this stack trace.

FWIW, bug 533035 should fix about half of the crashes in FuncFilter::ins2.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
Whiteboard: [orange] [needs stack evaluated for usefulness - tracemonkey] → [orange]
Crash Signature: [@ FuncFilter::ins2(nanojit::LOpcode,nanojit::LIns *,nanojit::LIns *)]
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.