Last Comment Bug 500108 - Deep abort is not detected in JSOP_IN [@ TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*)]
: Deep abort is not detected in JSOP_IN [@ TraceRecorder::emitIf(unsigned char*...
Status: RESOLVED FIXED
fixed-in-tracemonkey
: crash, topcrash, verified1.9.1.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.9.1 Branch
: All All
: -- critical (vote)
: mozilla1.9.2a1
Assigned To: Andreas Gal :gal
:
: Jason Orendorff [:jorendorff]
Mentors:
http://crash-stats.mozilla.com/report...
: 501616 (view as bug list)
Depends on: 500192
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-23 20:14 PDT by Samuel Sidler (old account; do not CC)
Modified: 2015-10-16 11:39 PDT (History)
21 users (show)
mbeltzner: blocking1.9.2+
samuel.sidler+old: blocking1.9.1.1+
mbeltzner: wanted1.9.1.x+
choller: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
beta1-fixed


Attachments
Debug Terminal Output (7.07 KB, text/plain)
2009-06-26 11:21 PDT, Anthony Hughes (:ashughes) [GFX][QA][Mentor]
no flags Details
patch (868 bytes, patch)
2009-06-26 16:24 PDT, Andreas Gal :gal
dvander: review+
samuel.sidler+old: approval1.9.1.1+
Details | Diff | Splinter Review

Description Samuel Sidler (old account; do not CC) 2009-06-23 20:14:23 PDT
The current #7 (earlier today #8) top crash in Firefox 3.5 RC happens with a signature of TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*).

This crash happens across platforms (Windows and Mac).

The majority of the stacks look like this, from bp-86691c70-423b-4957-9637-3f4c02090623:

Frame  	Module  	Signature  	Source
0 	js3250.dll 	TraceRecorder::emitIf(unsigned char*,bool,nanojit::LIns*) 	js/src/jstracer.cpp:3323
1 	js3250.dll 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9712
2 	js3250.dll 	js3250.dll@0x826df

However, a number of stacks look like this, from bp-64284f2b-0190-4720-8707-d8d652090623:

Frame  	Module  	Signature  	Source
0 	libmozjs.dylib 	TraceRecorder::emitIf(unsigned char*, bool, nanojit::LIns*) 	js/src/jstracer.cpp:3323
1 	libmozjs.dylib 	TraceRecorder::fuseIf(unsigned char*, bool, nanojit::LIns*) 	js/src/jstracer.cpp:3357
2 	libmozjs.dylib 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9712
3 	libmozjs.dylib 	TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) 	js/src/jsopcode.tbl:281
4 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3046
5 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
6 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
7 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
8 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
9 	XUL 	PrepareAndDispatch 	
10 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
11 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
12 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
13 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
14 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
15 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
16 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
17 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
18 	XUL 	XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) 	js/src/xpconnect/src/XPCWrapper.cpp:406
19 	XUL 	XPC_NW_NewResolve 	js/src/xpconnect/src/XPCNativeWrapper.cpp:748
20 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
21 	libmozjs.dylib 	js_FindProperty 	js/src/jsobj.cpp:3773
22 	libmozjs.dylib 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9704
23 	libmozjs.dylib 	TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) 	js/src/jsopcode.tbl:281
24 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3046
25 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
26 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
27 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
28 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
29 	XUL 	PrepareAndDispatch 	
30 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
31 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
32 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
33 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
34 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
35 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
36 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
37 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
38 	XUL 	XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) 	js/src/xpconnect/src/XPCWrapper.cpp:406
39 	XUL 	XPC_NW_NewResolve 	js/src/xpconnect/src/XPCNativeWrapper.cpp:748
40 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
41 	libmozjs.dylib 	js_FindProperty 	js/src/jsobj.cpp:3773
42 	libmozjs.dylib 	TraceRecorder::record_JSOP_IN() 	js/src/jstracer.cpp:9704
43 	libmozjs.dylib 	TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) 	js/src/jsopcode.tbl:281
44 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3046
45 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
46 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
47 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
48 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
49 	XUL 	PrepareAndDispatch 	
50 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
51 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
52 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
53 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
54 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
55 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
56 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
57 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
58 	XUL 	XPCWrapper::ResolveNativeProperty(JSContext*, JSObject*, JSObject*, XPCWrappedNative*, long, unsigned int, JSObject**, int) 	js/src/xpconnect/src/XPCWrapper.cpp:406
59 	XUL 	XPC_NW_NewResolve 	js/src/xpconnect/src/XPCNativeWrapper.cpp:748
60 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
61 	libmozjs.dylib 	js_FindProperty 	js/src/jsobj.cpp:3773
62 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:3415
63 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
64 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
65 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
66 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
67 	XUL 	PrepareAndDispatch 	
68 	XUL 	nsContentPolicy::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, short*) 	content/base/src/nsContentPolicy.cpp:157
69 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin(char const*, nsIURI*, nsIPluginInstanceOwner*) 	nsContentPolicyUtils.h:223
70 	XUL 	nsObjectFrame::InstantiatePlugin(nsIPluginHost*, char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:911
71 	XUL 	nsObjectFrame::Instantiate(char const*, nsIURI*) 	layout/generic/nsObjectFrame.cpp:1818
72 	XUL 	nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) 	content/base/src/nsObjectLoadingContent.cpp:1768
73 	XUL 	nsObjectLoadingContent::EnsureInstantiation(nsIPluginInstance**) 	content/base/src/nsObjectLoadingContent.cpp:783
74 	XUL 	nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe(nsIXPConnectWrappedNative*, nsIPluginInstance**) 	dom/src/base/nsDOMClassInfo.cpp:9251
75 	XUL 	nsHTMLPluginObjElementSH::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) 	dom/src/base/nsDOMClassInfo.cpp:9792
76 	XUL 	XPC_WN_Helper_NewResolve 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1074
77 	libmozjs.dylib 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:3850
78 	libmozjs.dylib 	js_GetPropertyHelper 	js/src/jsobj.cpp:4257
79 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:4449
80 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
81 	libmozjs.dylib 	js_fun_call 	js/src/jsfun.cpp:1985
82 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5147
83 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
84 	libmozjs.dylib 	js_fun_call 	js/src/jsfun.cpp:1985
85 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5147
86 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
87 	libmozjs.dylib 	js_fun_call 	js/src/jsfun.cpp:1985
88 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5147
89 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
90 	XUL 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
91 	XUL 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/src/xpconnect/src/xpcwrappedjs.cpp:561
92 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
93 	XUL 	PrepareAndDispatch 	
94 	XUL 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsPIDOMEventTarget*, unsigned int) 	content/events/src/nsEventListenerManager.cpp:1098
95 	XUL 	nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsPIDOMEventTarget*, unsigned int, nsEventStatus*) 	content/events/src/nsEventListenerManager.cpp:1206
96 	XUL 	nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, int) 	content/events/src/nsEventDispatcher.cpp:236
97 	XUL 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, int) 	content/events/src/nsEventDispatcher.cpp:300
98 	XUL 	nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*) 	content/events/src/nsEventDispatcher.cpp:514
99 	XUL 	nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) 	content/events/src/nsEventDispatcher.cpp:576
100 	XUL 	nsDocument::DispatchEvent(nsIDOMEvent*, int*) 	content/base/src/nsDocument.cpp:6178
155 	AppKit 	_DPSNextEvent 	
156 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
157 	AppKit 	-[NSApplication run] 	
158 	XUL 	nsAppShell::Run() 	widget/src/cocoa/nsAppShell.mm:720
159 	XUL 	nsAppStartup::Run() 	toolkit/components/startup/src/nsAppStartup.cpp:193
160 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3298
161 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
162 	firefox-bin 	firefox-bin@0x1541 	
163 	firefox-bin 	firefox-bin@0x1468 	
164 		@0x1

I'm hoping that second one is more helpful...

Lars, can you pull out URLs for this topcrash? Feel free to put them in a new, private bug for privacy issues.
Comment 1 Samuel Sidler (old account; do not CC) 2009-06-23 20:16:15 PDT
bp-b2082d60-2d00-4ccd-b035-c91e82090623 also offers a slightly different version of the second stack in comment 0.
Comment 2 Andreas Gal :gal 2009-06-24 07:38:31 PDT
Assuming I got hold of the right source version, the bug occurs here:

  3320 TraceRecorder::emitIf(jsbytecode* pc, bool cond, LIns* x)
  3321 {
  3322     ExitType exitType;
  3323     if (js_IsLoopEdge(pc, (jsbytecode*)fragment->root->ip)) {
  3324         exitType = LOOP_EXIT;

This smells like fragment->root being NULL or invalid. NULL would be a safe crash. invalid would be worse. The urls would be very useful. This might be an OOM condition issue. Adding graydon who did most of the blacklisting work and reviewing.
Comment 3 Andreas Gal :gal 2009-06-24 07:41:39 PDT
From the stack it looks like we have more than one recorder active. Thats a bit sketchy. This should be reproducible from the URLs.
Comment 4 K Lars Lohn [:lars] [:klohn] 2009-06-24 07:54:45 PDT
Bug 500192 has URLs for Firefox 3.5, 3.5pre and 3.5b99 (in that order)
Comment 5 Andreas Gal :gal 2009-06-24 08:33:46 PDT
I had no luck with any of the top 30 urls, but

http://www.verycd.com/

appears frequently. Anyone else wants to give this a shot?
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2009-06-24 08:37:49 PDT
(In reply to comment #5)
> I had no luck with any of the top 30 urls, but
> 
> http://www.verycd.com/
> 
> appears frequently. Anyone else wants to give this a shot?

That's a popular Chinese site btw.
Comment 7 Andreas Gal :gal 2009-06-24 10:40:10 PDT
Setting flag. Reproducing this would be great, and bisecting. Still tapping in the dark here.
Comment 8 Andreas Gal :gal 2009-06-24 10:46:32 PDT
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x10

Layout of Fragment:

            DWB(Fragment*) treeBranches; 0x00
            DWB(Fragment*) branches; 0x04
            DWB(Fragment*) nextbranch; 0x08
            DWB(Fragment*) anchor; 0x0c
            DWB(Fragment*) root; 0x10

So fragment->root is NULL as I initially suspected.
Comment 9 Robert Sayre 2009-06-24 18:39:41 PDT
has the automated QA crawler vs. crash URLs been tried?
Comment 10 Bob Clary [:bc:] 2009-06-24 20:22:35 PDT
I'm running them now, but the crash density is very low. I should have complete results for mac os x (macbook & older xserve), winxp and windows 2003 server soon.
Comment 11 Bob Clary [:bc:] 2009-06-25 10:17:24 PDT
no crashes or hangs in windows/mac with a build from yesterday.
Comment 12 Marcia Knous [:marcia - use ni] 2009-06-25 15:54:56 PDT
I crashed in this stack yesterday using Snow Leopard.  http://crash-stats.mozilla.com/report/index/bb8fffe6-47f2-422e-af24-68d682090624 is my breakpad. I crashed after installing several plugins.  Here is my machine config:

Generated: Thu Jun 25 2009 15:54:30 GMT-0700 (PST)
User Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build ID: 20090624012136

Enabled Extensions: [6]

    * Adblock Plus 1.0.2
    * Firebug 1.4.0b2
    * Firecookie 0.8
    * FireFTP 1.0.4
    * FirePHP 0.3
    * MR Tech Toolkit 6.0.3.3

Installed Themes: [1]

    * Default

Installed Plugins: (8)

    * Default Plugin
    * Flip4Mac Windows Media Plugin 2.2.3
    * Java Embedding Plugin 0.9.7.1
    * MoveNetworks Quantum Media Player
    * Picasa
    * QuickTime Plug-in 7.6.3
    * Shockwave Flash
    * Silverlight Plug-In
Comment 13 Andreas Gal :gal 2009-06-25 15:58:39 PDT
Marcia, can you reproduce the crash?
Comment 14 Marcia Knous [:marcia - use ni] 2009-06-25 16:11:51 PDT
Andreas, not yet - trying now. I have the history of the sites I was visiting around the time of the crash but so far no luck, and I am trying some of the sites in the attachment. Will keep you advised.
Comment 15 Marcia Knous [:marcia - use ni] 2009-06-25 16:17:01 PDT
Ok, I can now repro on my machine using these STR:

1. Visit http://www.wetanz.com/boromir-son-of-denethor-figure/
2. Select the spyglass in the picture. I crash every time.
Comment 16 Marcia Knous [:marcia - use ni] 2009-06-25 16:36:01 PDT
I should note that I can repro the crash on the Mac 10.6 lab machine with the config listed in Comment 12. I haven't been able to repro the crash on my 10.5 machine with my current profile.
Comment 17 Andreas Gal :gal 2009-06-25 17:10:35 PDT
I tried this with my TM tip debug build. No crash. We will have to do this with your 10.6 box. Do you have access to debug builds for 1.9.1? We should try to catch the crash with a debug build in gdb and then debug it on scene.
Comment 18 Marcia Knous [:marcia - use ni] 2009-06-26 10:14:26 PDT
I disabled Firebug on the 10.6 machine and that seems to eliminate the crash.  Should we still go ahead with a debug build on the 10.6 machine? A 10.4 machine running with Firebug and RC3 does not crash.
Comment 19 Andreas Gal :gal 2009-06-26 10:21:12 PDT
My gut feeling is that the bug is not 10.6 specific, its just exposed there for some reason but not on the 10.4 box. So if you can go ahead and try to capture this with a debug build on the 10.6 box, that would be great. Thanks!
Comment 20 Marcia Knous [:marcia - use ni] 2009-06-26 10:28:17 PDT
Anthony was able to find out that the combination of Firebug and Adblock plus seems to trigger the crash. He is working on a debug build now.
Comment 21 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2009-06-26 10:47:07 PDT
I believe I have found reliable STR that is reproducible on all platforms (Windows, Mac and Linux):

1. Open Firefox with a new profile
2. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
3. Install Firebug from AMO and restart
4. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
5. Install Adblock Plus from AMO and restart (subscribe to EasyList USA)
6. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
7. Disable Firebug and restart
8. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
9. Enable Firebug and disable Adblock Plus then restart
10. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
11. Enable Adblock Plus
12. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.
13. Disable Flash
14. Navigate to http://www.wetanz.com/boromir-son-of-denethor-figure/, click the magnifying glass and browse around the image.

RESULT:
No Addons -> Widget works
Firebug-only -> Widget works
Adblock Plus-only -> Widget works
Firebug + Adblock Plus -> CRASH!
Disable Flash -> Widget Works
Comment 22 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2009-06-26 11:21:46 PDT
Created attachment 385425 [details]
Debug Terminal Output

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090626 Minefield/3.6a1pre

Here is the output from my debug build.  I marked my actions in the output itself.  It should be noted that Minefield just hangs for about a minute then the OSX crash reporter appears (same STR as before).
Comment 23 Gary Kwong [:gkw] [:nth10sd] 2009-06-26 11:24:10 PDT
(In reply to comment #22)
> Created an attachment (id=385425) [details]
> Debug Terminal Output
> 
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
> Gecko/20090626 Minefield/3.6a1pre
> 
> Here is the output from my debug build.  I marked my actions in the output
> itself.  It should be noted that Minefield just hangs for about a minute then
> the OSX crash reporter appears (same STR as before).

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090626 Shiretoko/3.5pre

I can repro simply by installing Firebug and Adblock Plus (easylist US) at one go, heading to http://www.wetanz.com/boromir-son-of-denethor-figure/ then clicking on the Zoom button.

CC'ing testcase-reducer-expert Jesse. :)

ref bp-e28c7a2a-d6ef-4ef5-a33f-92b4d2090626
Comment 24 Andreas Gal :gal 2009-06-26 11:35:35 PDT
Anthony: the 1 minute delay with debug builds is "normal". It seems macosx is scanning the symbol tables in the debug build to produce the crash report. That seems to take forever. Its very annoying, but we see it all the time.
Comment 25 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2009-06-26 14:11:31 PDT
> I can repro simply by installing Firebug and Adblock Plus (easylist US) at one
> go, heading to http://www.wetanz.com/boromir-son-of-denethor-figure/ then
> clicking on the Zoom button.

Correct.  All that is required to reproduce the crash is Firefox, Adblock Plus, Firebug, and Flash.  My original STR was to prove all variables required to make this crash.  Sorry if the STR seemed a bit lengthy.
Comment 26 Andreas Gal :gal 2009-06-26 16:24:45 PDT
Created attachment 385501 [details] [diff] [review]
patch
Comment 27 Andreas Gal :gal 2009-06-26 16:27:14 PDT
This is a safe crash (always NULL). No flash or Adblock or Firebug needed, just a JSOP_IN property lookup that deep aborts us. Should be reasonably rare though. We can easily fix this for 3.5.1.

Great job by QA reproducing this. Thanks a lot Marcia and Anthony and Gary. I was easily able to catch this in GDB with your STR.
Comment 28 Andreas Gal :gal 2009-06-26 16:30:33 PDT
http://hg.mozilla.org/tracemonkey/rev/71e3e7b40341
Comment 29 Gary Kwong [:gkw] [:nth10sd] 2009-06-27 06:00:03 PDT
Assertion failure: x->oprnd2() == lirbuf->sp || x->oprnd2() == lirbuf->state, at /Users/skywalker/comm-central/mozilla/js/src/jstracer.cpp:2312

Btw, I only needed to install Adblock Plus to trigger that assertion above (fatal in debug) when clicking the spyglass. Somehow Firebug turns that assertion above into a crash. Which explains why a optimized nightly requires Firebug. I'm still trying to get a local testcase though, the site apparently doesn't use XHR...
Comment 30 Andreas Gal :gal 2009-06-27 07:00:15 PDT
Gary, the assert is with or without the patch?
Comment 31 Gary Kwong [:gkw] [:nth10sd] 2009-06-27 07:01:19 PDT
(In reply to comment #30)
> Gary, the assert is with or without the patch?

Sorry forgot to mention, it's on Shiretoko 1.9.1, which is without the patch.
Comment 32 Mike Beltzner [:beltzner, not reading bugmail] 2009-06-29 09:41:11 PDT
If I'm expected to relnote this, I need an English description of the problem. So far I honestly can't determine where we expect this crash to occur based on the previous comments in this bug. Is it Snow Leopard specific or not?
Comment 33 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2009-06-29 09:58:58 PDT
(In reply to comment #32)
> If I'm expected to relnote this, I need an English description of the problem.
> So far I honestly can't determine where we expect this crash to occur based on
> the previous comments in this bug. Is it Snow Leopard specific or not?

Speaking to the OS question, I was able to reproduce it on all platforms.
Comment 34 Marcia Knous [:marcia - use ni] 2009-06-29 10:30:20 PDT
This bug affects all platforms and is currently the #29 top crash for 3.5 on crash-stats.  Comment 25 describes the three criteria that are needed: Adblock Plus, Firebug, and Flash. Certain sites such as tmobile and woot.com are referenced in the crash comments. 

(In reply to comment #32)
> If I'm expected to relnote this, I need an English description of the problem.
> So far I honestly can't determine where we expect this crash to occur based on
> the previous comments in this bug. Is it Snow Leopard specific or not?
Comment 35 Andreas Gal :gal 2009-06-29 10:42:22 PDT
Adblock Plus, Firebug and Flash are not needed. They are only needed for the specific reproducible test case. This can also happen under different circumstances without them.
Comment 39 Graydon Hoare :graydon 2009-07-01 06:35:44 PDT
*** Bug 501616 has been marked as a duplicate of this bug. ***
Comment 40 Graydon Hoare :graydon 2009-07-01 06:40:35 PDT
This is topcrash 48 in the 3.5 release, looks like possibly the sole tracemonkey culprit in the top 100, at the moment?

ref d8512612-d8a2-433b-b908-90d122090630 etc.
Comment 41 Robert Sayre 2009-07-05 10:05:31 PDT
this was merged on june 30, 2009

http://hg.mozilla.org/mozilla-central/rev/71e3e7b40341
Comment 42 Samuel Sidler (old account; do not CC) 2009-07-10 13:34:41 PDT
Let's get this in 1.9.1.1 since it fixes a topcrash. Andreas: Does this patch apply cleanly? Please request approval on an appropriate patch.
Comment 43 Samuel Sidler (old account; do not CC) 2009-07-13 15:05:03 PDT
Andreas: Ping on comment 42.
Comment 45 Mike Beltzner [:beltzner, not reading bugmail] 2009-07-15 22:31:08 PDT
Andreas/dvander: can you verify that this is fixed in latest-mozilla1.9.1 nightly or better yet the 3.5.1 release candidate: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.5.1-candidates/build1/
Comment 46 Andreas Gal :gal 2009-07-15 23:11:37 PDT
Verified using 3.5.1 candidate build (MacOSX).
Comment 47 Henrik Skupin (:whimboo) 2009-07-16 01:22:44 PDT
Andreas, checking with 3.5.1 means we have to flip the keyword to verified1.9.1.1. The bug status is set when verifying the bug against the most recent branch (trunk). I'll update the flags.
Comment 48 Andreas Gal :gal 2009-07-16 01:35:16 PDT
Thanks Henrik.
Comment 49 Mike Beltzner [:beltzner, not reading bugmail] 2009-08-25 10:39:05 PDT
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Comment 50 Mike Beltzner [:beltzner, not reading bugmail] 2009-10-30 13:17:54 PDT
Removing relnote
Comment 51 Christian Holler (:decoder) 2013-03-11 11:22:09 PDT
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.

Note You need to log in before you can comment on or make changes to this bug.