Closed
Bug 560212
Opened 16 years ago
Closed 15 years ago
Crash [@ ClaimTitle] or [@ WillDeadlock] involving tracing of modified WebGL*Array
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
| status1.9.2 | --- | unaffected |
People
(Reporter: kbrosnan, Unassigned)
References
()
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files, 1 obsolete file)
Tested against Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.3a5pre) Gecko/20100419 Minefield/3.7a5pre - http://hg.mozilla.org/tracemonkey/rev/61bce35370b7
Enable webgl visit http://plopbyte.net/?page_id=111/ page will cause Firefox to crash. Disabling jit.content will stop the page from crashing.
Signature ClaimTitle
UUID e316a637-cf52-46a2-9580-245ab2100419
Time 2010-04-19 06:27:07.3440
Uptime 425
Last Crash 454 seconds before submission
Product Firefox
Version 3.7a5pre
Build ID 20100419030620
Branch 1.9.3
OS Linux
OS Version 0.0.0 Linux 2.6.33-ARCH #1 SMP PREEMPT Sun Apr 4 10:27:30 CEST 2010 x86_64
CPU amd64
CPU Info family 6 model 30 stepping 5
Crash Reason SIGSEGV
Crash Address 0x18
User Comments webgl - kbrosnan
Processor Notes
Related Bugs
Crashing Thread
Frame Module Signature Source
0 libmozjs.so ClaimTitle js/src/jslock.cpp:412
1 libmozjs.so js_LockTitle js/src/jslock.cpp:1210
2 libmozjs.so js_LockObj js/src/jslock.cpp:1331
3 libmozjs.so js_LookupPropertyWithFlags js/src/jsobj.cpp:4345
4 libmozjs.so js::TraceRecorder::test_property_cache js/src/jstracer.cpp:9188
5 libmozjs.so js::TraceRecorder::record_JSOP_CALLPROP js/src/jstracer.cpp:14618
6 libmozjs.so js::TraceRecorder::monitorRecording js/src/jsopcode.tbl:434
7 libmozjs.so js_Interpret js/src/jsops.cpp:78
8 libmozjs.so js_Invoke js/src/jsinterp.cpp:842
9 libmozjs.so js_InternalInvoke js/src/jsinterp.cpp:899
10 libmozjs.so JS_CallFunctionValue js/src/jsapi.cpp:4947
11 libxul.so nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2163
12 libxul.so nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:8405
13 libxul.so nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:8749
14 libxul.so nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:427
15 libxul.so nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:519
16 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527
17 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:250
18 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:118
19 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:173
20 libxul.so nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:174
21 libxul.so nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:182
22 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp:3519
23 firefox-bin main browser/app/nsBrowserApp.cpp:158
24 libc-2.11.1.so libc-2.11.1.so@0x1eb6c
|
Reporter | |
Updated•16 years ago
|
Summary: Crash [@ ClaimTitle ] → Crash [@ ClaimTitle]
|
||
Comment 1•16 years ago
|
||
I added a link to click on it, else it crashes the entire page. So click on the link 'Click Here to start the demo'
|
|
Reporter | |
Comment 2•16 years ago
|
||
Signature WillDeadlock
UUID 455d1fbf-278c-4cd6-86f0-c60c72100419
Time 2010-04-19 15:34:00.920825
Uptime 257
Last Crash 2295877 seconds before submission
Product Firefox
Version 3.7a5pre
Build ID 20100419035943
Branch 1.9.3
OS Windows NT
OS Version 6.1.7600
CPU x86
CPU Info GenuineIntel family 6 model 30 stepping 5
Crash Reason EXCEPTION_ACCESS_VIOLATION
Crash Address 0xc
User Comments
Processor Notes
Related Bugs
Crashing Thread
Frame Module Signature [Expand] Source
0 mozjs.dll WillDeadlock js/src/jslock.cpp:412
1 mozjs.dll js_LookupPropertyWithFlags
2 mozjs.dll js::TraceRecorder::test_property_cache js/src/jstracer.cpp:9188
3 mozjs.dll js::TraceRecorder::record_JSOP_CALLPROP js/src/jstracer.cpp:14618
4 mozjs.dll js::TraceRecorder::monitorRecording js/src/jsopcode.tbl:434
5 mozjs.dll js_Interpret js/src/jsops.cpp:78
6 mozjs.dll js_Invoke js/src/jsinterp.cpp:842
7 mozjs.dll js_InternalInvoke js/src/jsinterp.cpp:899
8 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:4947
9 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2163
10 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:8405
11 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:8749
12 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:427
13 nspr4.dll _PR_MD_UNLOCK nsprpub/pr/src/md/windows/w95cv.c:344
14 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:519
15 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527
16 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:142
17 xul.dll xul.dll@0x96beeb
18 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:216
19 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:199
20 xul.dll xul.dll@0x2dc703
21 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:173
22 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:174
23 xul.dll nsAppShell::Run widget/src/windows/nsAppShell.cpp:239
24 @0x7735ffff
25 @0x7682ffff
26 @0x7502ffff
OS: Linux → All
Hardware: x86 → All
Summary: Crash [@ ClaimTitle] → Crash [@ ClaimTitle] or [@ WillDeadlock]
|
||
Comment 3•16 years ago
|
||
|
|
||
Comment 4•16 years ago
|
||
|
|
||
Comment 5•16 years ago
|
||
Assertion failure: isNative(), at /Users/jruderman/central/js/src/jsscope.h:549
|
|
||
Comment 6•16 years ago
|
||
The reduced testcases crash even with WebGL disabled.
|
|
||
Comment 7•16 years ago
|
||
|
|
||
Comment 8•16 years ago
|
||
Tracing for WebGL*Array was added in bug 533659, so this shouldn't affect 3.6.
blocking2.0: --- → ?
status1.9.2:
--- → unaffected
|
|
||
Updated•16 years ago
|
Summary: Crash [@ ClaimTitle] or [@ WillDeadlock] → Crash [@ ClaimTitle] or [@ WillDeadlock] involving tracing of modified WebGL*Array
|
|
||
Updated•16 years ago
|
Severity: major → critical
Keywords: regression
I'm going to need a little help here with both of those.. am a little lost. For the defineGetter case though, typed arrays currently just ignore any non-indexed/out-of-range property sets, so I'm guessing defineGetter is interacting poorly with that somewhere.
|
||
Comment 10•15 years ago
|
||
We are hitting this same exact same issue, with a custom DOM event containing a Float32Array as an attribute. If, by accident, you happen to call some made-up name in a loop, you crash. This seems like a case that will happen a fair bit.
|
||
Updated•15 years ago
|
blocking2.0: ? → final+
|
||
Comment 11•15 years ago
|
||
This is no longer crashing for me, on linux x86-64. Feel free to reopen if it's still crashing for you.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 12•15 years ago
|
||
.v no crash with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a6pre) Gecko/20100615 Minefield/3.7a6pre either
Status: RESOLVED → VERIFIED
|
|
||
Comment 13•15 years ago
|
||
QA: testcase should be modified to use Float32Array instead of WebGLFloatArray, since the WebGLFloatArray name has been removed.
|
|
Reporter | |
Comment 14•15 years ago
|
||
Attachment #441130 -
Attachment is obsolete: true
|
|
||
Comment 15•15 years ago
|
||
(In reply to comment #14)
> Created attachment 471499 [details]
> reduced testcase #1 (crashes Firefox when loaded) updaed
This doesn't crash Firefox here (linux x86-64).
Can you post a stack trace? Also, if you get a crash, feel free to reopen...
|
|
Reporter | |
Comment 16•15 years ago
|
||
Sorry for the confusion, i just updated the testcase as Jessy suggested in comment 13. There is no crash on the current trunk.
|
||
Updated•14 years ago
|
Crash Signature: [@ ClaimTitle]
[@ WillDeadlock]
You need to log in
before you can comment on or make changes to this bug.
Description
•