493177 - Browser crashes in loading of certain page.[@ js_Interpret]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Alice0775 White]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090514 Firefox/3.5.0 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090514 Firefox/3.5.0 (.NET CLR 3.5.30729)

When loading certain page, the browser is crashing.



Reproducible: Always

Steps to Reproduce:
1.Start Minefield.Shiretoko with new profile
2.Go URL
3.
Actual Results:  
The browser is crashing. with crash report.

Expected Results:  
No crash.

Regression range in Minefield(1.9.2):
Works fine:
http://hg.mozilla.org/mozilla-central/rev/68cfe7fb9f31
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090413 Minefield/3.6a1pre (.NET CLR 3.5.30729)

Broken:
http://hg.mozilla.org/mozilla-central/rev/68d9acc70491
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090414 Minefield/3.6a1pre (.NET CLR 3.5.30729)

Pushlog:
http://hg.mozilla.org/mozilla-central/p ... d9acc70491

Crash report:
Firefox 3.6a1pre Crash Report [@ js_Interpret ]
http://crash-stats.mozilla.com/report/i ... 090515?p=1


Regression range in Shiretoko(1.9.1):
Works fine:
http://hg.mozilla.org/releases/mozilla- ... 39d6b3b56d
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090418 Shiretoko/3.5b4pre

Broken:
http://hg.mozilla.org/releases/mozilla- ... a5ebd9a59c
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090419 Shiretoko/3.5b4pre

Pushlog:
http://hg.mozilla.org/releases/mozilla- ... a5ebd9a59c

Crash report:
Firefox 3.5b4pre Crash Report [@ js_Interpret ]
http://crash-stats.mozilla.com/report/i ... 090514?p=1


There is no check-in which overlaps between 1.9.1 and 1.9.2.
But Crash Report [@ js_Interpret ] is same.

And reported in http://forums.mozillazine.org/viewtopic.php?p=6487075#p6487075 , http://forums.mozillazine.org/viewtopic.php?p=6487095#p6487095
The browser is crashing on Windows Vista SP1 and Windows 7RC also.

Comment 1

[Jim Jeffery not reading bug-mail 1/2/11]

Also crashes latest trunk hourly.  Turning off JIT.content makes no difference, still crashes.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090515 Minefield/3.6a1pre Firefox/3.0.7 (.NET CLR 3.5.30729) ID:20090515020859
Vista HP SP1

Comment 2

[Jim Jeffery not reading bug-mail 1/2/11]

Checkins in the range are here:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=68cfe7fb9f31&tochange=68d9acc70491

thanks to Nick Thomas on IRC for the range-check.

Comment 3

[Jim Jeffery not reading bug-mail 1/2/11]

Alice's crash-reports got truncated it appears, here is crash-report from today's nightly on trunk: 

http://crash-stats.mozilla.com/report/index/74460c1c-f7f1-4ad8-9b36-0adb12090515?p=1

Comment 4

[Oakwine]

Crashes on Mac branch as well.

Comment 5

[Andreas Gal :gal]

This is related to upvar.

Comment 6

[Brendan Eich [:brendan]]

(In reply to comment #5)
> This is related to upvar.

No, look at the hook (comment 2, sayrer's landing -- thanks Littlemutt):

	49643dfd3008	Brendan Eich — Bug 488050 - upvar2: incorrect optimization of delete function_name (r=igor).
	2ee4d920011f	Andreas Gal — Remove amd64 code (will be replaced with tamarin's new amd64 backend, 487981, r=danderson).
	2c7ccbda59b5	Jeff Walden — Import http://hg.mozilla.org/mozilla-central/rev/a94142e82a0d to TM since it seems to be horking my shell builds (but not a browser build? odd, I thought I'd tested both)
	bbe2f2403eab	Brendan Eich — Bug 487968 - TM: shutdown leak of rt->builtinFunctions (r=jorendorff).
	70111870bcf8	Brendan Eich — Bug 488034 - Crash [@ js_GetUpvar] or "Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp" (r=mrbkap).
	c45574c9d3f0	Andreas Gal — Update ip in recycled branch fragments (487531, r=graydon).

Either bug 488050 or bug 488034. Investigating.

/be

Comment 7

[Brendan Eich [:brendan]]

From bug 493283 comment 2, that could be a dup of this bug. More in a bit.

/be

Comment 8

[Brian Carpenter [:geeknik]]

Here's another crash report if it's needed:

http://crash-stats.mozilla.com/report/index/71e78862-f59b-41f5-ac5f-868232090515

Comment 10

[Brendan Eich [:brendan]]

Attachment: reduced testcase

Thanks to mrbkap for buddying.

/be

Comment 11

[Brendan Eich [:brendan]]

Attachment: fix

Comment 12

[Brendan Eich [:brendan]]

Fixed in tm:

http://hg.mozilla.org/tracemonkey/rev/bcd8b4679e91

/be

Comment 13

[Brendan Eich [:brendan]]

Backed out, fixed the bogus assertion, relanded in tm:

http://hg.mozilla.org/tracemonkey/rev/c852a6b9b9d2

/be

Comment 14

[Brendan Eich [:brendan]]

Attachment: fix with bogus assertion corrected, for posterity

Comment 15

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to bug 488034 :

The first bad revision is:
changeset:   27186:70111870bcf8
user:        Brendan Eich
date:        Mon Apr 13 14:16:15 2009 -0700
summary:     Bug 488034 - Crash [@ js_GetUpvar] or "Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp" (r=mrbkap).

Comment 16

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/c852a6b9b9d2

Comment 17

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/29343bdf2338

Comment 18

[Marcia Knous [:marcia]]

Verified fixed on the 1.9.1 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090518 Shiretoko/3.5b5pre and  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090518 Shiretoko/3.5b5pre. I verified with the URL in the test case which crashed the 20090517 build (at least on Win XP).

Verified fixed on the trunk using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090518 Minefield/3.6a1pre and  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090518 Minefield/3.6a1pre.