Closed Bug 516316 Opened 15 years ago Closed 13 years ago

Crash if I open the video stream from ustream.tv [@ nanojit::Allocator::reset]

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED WONTFIX

People

(Reporter: diogopinto_slb_wwe, Unassigned)

References

()

Details

(Keywords: crash, qawanted)

Crash Data

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-PT; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-PT; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) Add-ons: mozilla_cc@internetdownloadmanager.com:6.5,{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14,{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15,{B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.8,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0,firefox@tvunetworks.com:2,4,7,2,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3 BuildID: 20090824101458 CrashTime: 1252894266 Email: diogopinto_slb_wwe@live.com.pt InstallTime: 1252543818 ProductName: Firefox SecondsSinceLastCrash: 348631 StartupTime: 1252882430 Theme: classic/1.0 Throttleable: 1 URL: http://www.ustream.tv/channel/thisisdeadair Vendor: Mozilla Version: 3.5.3 Este relatório também contém informação técnica sobre o estado da aplicação falhou. Reproducible: Always
The crash information is not useful until it has been submitted to server. Please go to about:crashes and copy and paste relevant crash ids from there to this bug. See https://developer.mozilla.org/En/How_to_get_a_stacktrace_for_a_bug_report
Severity: major → critical
Component: Extension Compatibility → General
Keywords: crash
QA Contact: extension.compatibility → general
> http://ustream.tv this site is flash based. FYI on linux *without* flash i don't crash.
with flash enabled i can reproduce the crash. linux stack: #0 0xb80c3422 in __kernel_vsyscall () #1 0xb72997a6 in nanosleep () from /lib/tls/i686/cmov/libc.so.6 #2 0xb72995be in sleep () from /lib/tls/i686/cmov/libc.so.6 #3 0xb8081b76 in ah_crap_handler (signum=11) at /opt/pub/firefox-central/src/toolkit/xre/nsSigHandlers.cpp:149 #4 0xb8082e38 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:216 #5 <signal handler called> #6 0xb7fe365c in nanojit::Allocator::reset (this=0xb62b9000) at /opt/pub/firefox-central/src/js/src/nanojit/Allocator.cpp:59 #7 0xb7fb6492 in JSTraceMonitor::flush (this=0xb62b1068) at /opt/pub/firefox-central/src/js/src/jstracer.cpp:2104 #8 0xb7fcf555 in ResetJIT (cx=0xb1064800) at /opt/pub/firefox-central/src/js/src/jstracer.cpp:3551 #9 0xb7fd4314 in CheckGlobalObjectShape (cx=0xb1064800, tm=0xb62b1068, globalObj=0xb08d26e0, shape=0xbfadcf58, slots=0xbfadcf54) at /opt/pub/firefox-central/src/js/src/jstracer.cpp:4530 #10 0xb7fd5585 in js_MonitorLoopEdge (cx=0xb1064800, inlineCallCount=@0xbfadd6a4) at /opt/pub/firefox-central/src/js/src/jstracer.cpp:5976 #11 0xb7ee70cb in js_Interpret (cx=0xb1064800) at /opt/pub/firefox-central/src/js/src/jsops.cpp:341 #12 0xb7f11416 in js_Invoke (cx=0xb1064800, argc=2, vp=0xab99a4b8, flags=0) ---Type <return> to continue, or q <return> to quit---q at Quit (gdb) frame 6 #6 0xb7fe365c in nanojit::Allocator::reset (this=0xb62b9000) at /opt/pub/firefox-central/src/js/src/nanojit/Allocator.cpp:59 59 Chunk *prev = c->prev; (gdb) p *c Cannot access memory at address 0xff0060a8
Status: UNCONFIRMED → NEW
Ever confirmed: true
some assertions without flash: nsBlockReflowContext: Block(ul)(0)@0x7f5a0a752590 metrics=541200,0! nsBlockReflowContext: Block(ul)(0)@0x7f5a0a752590 metrics=541200,0! nsBlockReflowContext: Block(ul)(0)@0x7f5a0a752590 metrics=541200,0! nsBlockReflowContext: Block(ul)(0)@0x7f5a0a752590 metrics=541200,0! nsBlockReflowContext: Block(ul)(0)@0x7f5a0a752590 metrics=541200,0! ++DOCSHELL 0x7f5a07973800 == 18 ++DOMWINDOW == 39 (0x7f5a07976858) [serial = 47] [outer = (nil)] WARNING: Subdocument container has no frame: file /opt/pub/firefox-central/src/layout/base/nsDocumentViewer.cpp, line 2340 ++DOMWINDOW == 40 (0x7f5a08d99058) [serial = 48] [outer = 0x7f5a07976800] ###!!! ASSERTION: Adding child where we already have a child? This will likely misbehave: 'Error', file /opt/pub/firefox-central/src/docshell/shistory/src/nsSHEntry.cpp, line 598 ++DOMWINDOW == 41 (0x7f5a08e14c58) [serial = 49] [outer = 0x7f5a07976800] WARNING: NS_ENSURE_SUCCESS(rv, 0) failed with result 0x8000FFFF: file /opt/pub/firefox-central/src/content/base/src/nsContentUtils.cpp, line 2754 nsBlockReflowContext: Block(ul)(0)@0x7f5a09f58a10 metrics=541200,0! nsBlockReflowContext: Block(ul)(0)@0x7f5a09f58a10 metrics=541200,0! nsBlockReflowContext: Block(ul)(0)@0x7f5a09f58a10 metrics=541200,0! nsBlockReflowContext: Block(ul)(0)@0x7f5a09f58a10 metrics=541200,0!
georgi: thanks for the stack. Please don't leave confirmed bugs in General component though. (In reply to comment #4) > some assertions without flash: > ###!!! ASSERTION: Adding child where we already have a child? This will likely > misbehave: 'Error', file > /opt/pub/firefox-central/src/docshell/shistory/src/nsSHEntry.cpp, line 598 There are several bugs with this assertion, in particular bug 307421 looks similar.
Assignee: nobody → general
Component: General → JavaScript Engine
OS: Windows Vista → All
Product: Firefox → Core
QA Contact: general → general
Summary: Crash if I open the video stream from this site and others sites with tv streams. Happens every times. → Crash if I open the video stream from ustream.tv [@ nanojit::Allocator::reset]
This is definitively primarily a JS bug. Thanks for the report and the triaging work. Graydon, this is the code in question I believe: Chunk *c = current_chunk; while (c) { Chunk *prev = c->prev; this->freeChunk(c); c = prev; } A corrupted current_chunk is pretty bad news. If we can reproduce it a memory watchpoint might catch it.
Keywords: qawanted
QA: Until we know whats going on here it would be great if we can capture the test case to make sure it doesn't go away. Thanks!
Crash Signature: [@ nanojit::Allocator::reset]
Obsolete with the removal of tracejit.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: