Closed Bug 493177 Opened 11 years ago Closed 11 years ago

Browser crashes in loading of certain page.[@ js_Interpret]

Categories

(Core :: JavaScript Engine, defect, P1)

1.9.1 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla1.9.1

People

(Reporter: alice0775, Assigned: brendan)

References

()

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(2 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090514 Firefox/3.5.0 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090514 Firefox/3.5.0 (.NET CLR 3.5.30729)

When loading certain page, the browser is crashing.



Reproducible: Always

Steps to Reproduce:
1.Start Minefield.Shiretoko with new profile
2.Go URL
3.
Actual Results:  
The browser is crashing. with crash report.

Expected Results:  
No crash.

Regression range in Minefield(1.9.2):
Works fine:
http://hg.mozilla.org/mozilla-central/rev/68cfe7fb9f31
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090413 Minefield/3.6a1pre (.NET CLR 3.5.30729)

Broken:
http://hg.mozilla.org/mozilla-central/rev/68d9acc70491
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090414 Minefield/3.6a1pre (.NET CLR 3.5.30729)

Pushlog:
http://hg.mozilla.org/mozilla-central/p ... d9acc70491

Crash report:
Firefox 3.6a1pre Crash Report [@ js_Interpret ]
http://crash-stats.mozilla.com/report/i ... 090515?p=1


Regression range in Shiretoko(1.9.1):
Works fine:
http://hg.mozilla.org/releases/mozilla- ... 39d6b3b56d
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090418 Shiretoko/3.5b4pre

Broken:
http://hg.mozilla.org/releases/mozilla- ... a5ebd9a59c
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090419 Shiretoko/3.5b4pre

Pushlog:
http://hg.mozilla.org/releases/mozilla- ... a5ebd9a59c

Crash report:
Firefox 3.5b4pre Crash Report [@ js_Interpret ]
http://crash-stats.mozilla.com/report/i ... 090514?p=1


There is no check-in which overlaps between 1.9.1 and 1.9.2.
But Crash Report [@ js_Interpret ] is same.

And reported in http://forums.mozillazine.org/viewtopic.php?p=6487075#p6487075 , http://forums.mozillazine.org/viewtopic.php?p=6487095#p6487095
The browser is crashing on Windows Vista SP1 and Windows 7RC also.
Version: unspecified → 3.5 Branch
Also crashes latest trunk hourly.  Turning off JIT.content makes no difference, still crashes.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090515 Minefield/3.6a1pre Firefox/3.0.7 (.NET CLR 3.5.30729) ID:20090515020859
Vista HP SP1
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-firefox3.5?
Keywords: crash, regression
Assignee: nobody → general
Component: General → JavaScript Engine
Flags: blocking-firefox3.5?
Product: Firefox → Core
QA Contact: general → general
Version: 3.5 Branch → 1.9.1 Branch
Flags: blocking1.9.1?
Checkins in the range are here:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=68cfe7fb9f31&tochange=68d9acc70491

thanks to Nick Thomas on IRC for the range-check.
Alice's crash-reports got truncated it appears, here is crash-report from today's nightly on trunk: 

http://crash-stats.mozilla.com/report/index/74460c1c-f7f1-4ad8-9b36-0adb12090515?p=1
Crashes on Mac branch as well.
OS: Windows XP → All
Flags: blocking1.9.1? → blocking1.9.1+
This is related to upvar.
Blocks: upvar2
(In reply to comment #5)
> This is related to upvar.

No, look at the hook (comment 2, sayrer's landing -- thanks Littlemutt):

	49643dfd3008	Brendan Eich — Bug 488050 - upvar2: incorrect optimization of delete function_name (r=igor).
	2ee4d920011f	Andreas Gal — Remove amd64 code (will be replaced with tamarin's new amd64 backend, 487981, r=danderson).
	2c7ccbda59b5	Jeff Walden — Import http://hg.mozilla.org/mozilla-central/rev/a94142e82a0d to TM since it seems to be horking my shell builds (but not a browser build? odd, I thought I'd tested both)
	bbe2f2403eab	Brendan Eich — Bug 487968 - TM: shutdown leak of rt->builtinFunctions (r=jorendorff).
	70111870bcf8	Brendan Eich — Bug 488034 - Crash [@ js_GetUpvar] or "Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp" (r=mrbkap).
	c45574c9d3f0	Andreas Gal — Update ip in recycled branch fragments (487531, r=graydon).

Either bug 488050 or bug 488034. Investigating.

/be
Assignee: general → brendan
No longer blocks: upvar2
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1
From bug 493283 comment 2, that could be a dup of this bug. More in a bit.

/be
Status: NEW → ASSIGNED
Duplicate of this bug: 493283
Attached file reduced testcase
Thanks to mrbkap for buddying.

/be
Attached patch fix (obsolete) — Splinter Review
Attachment #377798 - Flags: review?(mrbkap)
Attachment #377798 - Flags: review?(mrbkap) → review+
Fixed in tm:

http://hg.mozilla.org/tracemonkey/rev/bcd8b4679e91

/be
Whiteboard: fixed-in-tracemonkey
Backed out, fixed the bogus assertion, relanded in tm:

http://hg.mozilla.org/tracemonkey/rev/c852a6b9b9d2

/be
Attachment #377798 - Attachment is obsolete: true
Attachment #377802 - Flags: review+
autoBisect shows this is probably related to bug 488034 :

The first bad revision is:
changeset:   27186:70111870bcf8
user:        Brendan Eich
date:        Mon Apr 13 14:16:15 2009 -0700
summary:     Bug 488034 - Crash [@ js_GetUpvar] or "Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp" (r=mrbkap).
Blocks: 488034
Keywords: testcase
http://hg.mozilla.org/mozilla-central/rev/c852a6b9b9d2
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Verified fixed on the 1.9.1 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090518 Shiretoko/3.5b5pre and  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090518 Shiretoko/3.5b5pre. I verified with the URL in the test case which crashed the 20090517 build (at least on Win XP).

Verified fixed on the trunk using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090518 Minefield/3.6a1pre and  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090518 Minefield/3.6a1pre.
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.