Google Maps crash on tracemonkey branch [@ JSObject::removeProperty(JSContext*, int) ]

RESOLVED FIXED in mozilla2.0b7

Status

()

Core
JavaScript Engine
P1
major
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: Aaron Kaluszka, Assigned: brendan)

Tracking

({regression})

Other Branch
mozilla2.0b7
regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 beta7+)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

7 years ago
Attempting to load maps.google.com results in a crash (builds 20100910044908 and 20100909043955).

http://crash-stats.mozilla.com/report/index/6adfe4c1-7c09-4edc-bbf5-e6df42100910
http://crash-stats.mozilla.com/report/index/bp-dbd3e100-47e1-4e96-8ea3-bdce82100909
http://crash-stats.mozilla.com/report/index/bp-bd14b2a2-4f6b-4ef9-badd-bf6b52100909
http://crash-stats.mozilla.com/report/index/bp-331f19dc-929e-4702-aa75-2f3332100909
I can't repro this locally. I tried a 20100909 TM nightly and a personal build from today. 

The crash signatures look like they might be scope-removal-related, or JM-related.

Can you still repro it now? And what happens if you set 

  javascript.options.methodjit.content = false

in about:config? Does it still crash?
(Reporter)

Comment 2

7 years ago
I still get the crash with methodjit disabled, with all jit disabled, and in safe mode with all jit disabled.
(Reporter)

Comment 3

7 years ago
I found out that I get the crash if I'm logged in, but not if I'm not.  I believe this must be due to Labs features being enabled.  I can trigger the crash easily when not logged in by simply mousing over the Labs icon in the top right corner.
(Assignee)

Comment 4

7 years ago
(In reply to comment #3)
> I found out that I get the crash if I'm logged in, but not if I'm not.  I
> believe this must be due to Labs features being enabled.  I can trigger the
> crash easily when not logged in by simply mousing over the Labs icon in the top
> right corner.

Can you say more about which Labs features? Maybe steps to reproduce (even if not minimal)?

This looks like fallout from bug 558451.

/be
Assignee: general → brendan
Blocks: 588451
(Reporter)

Comment 5

7 years ago
It actually doesn't take any specific Labs feature (it crashes before that).

Step 1. Load maps.google.com
Step 2. Mouse over the labs icon
(Reporter)

Updated

7 years ago
Blocks: 558451
No longer blocks: 588451

Comment 6

7 years ago
This crashes for me with all JITs disabled.

Updated

7 years ago
OS: Windows 7 → All
Hardware: x86_64 → All

Updated

7 years ago
blocking2.0: --- → beta6+

Comment 7

7 years ago
STR: just mouse over the little potion with "New!" next to it in the upper right. You might have to be logged in to a Google account.

Could be the same as bug 592214.
(Assignee)

Updated

7 years ago
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 593256
(Assignee)

Updated

7 years ago
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(Assignee)

Comment 9

7 years ago
Rats.

/be
Status: REOPENED → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla2.0b6
(Assignee)

Updated

7 years ago
Duplicate of this bug: 595572
(Assignee)

Comment 11

7 years ago
Created attachment 474477 [details] [diff] [review]
fix

I may push this to tm and m-c ahead of review, to avoid nightly build user pain.

/be
Attachment #474477 - Flags: review?(jorendorff)
(Assignee)

Comment 12

7 years ago
Created attachment 474478 [details] [diff] [review]
fix

Use obj not pobj in add2dictfills reject-propcache-fill case.

/be
Attachment #474477 - Attachment is obsolete: true
Attachment #474478 - Flags: review?(jorendorff)
Attachment #474477 - Flags: review?(jorendorff)
(Assignee)

Comment 13

7 years ago
Created attachment 474482 [details] [diff] [review]
fix

With typo fix -- thanks to philor for proof-reading.

/be
Attachment #474478 - Attachment is obsolete: true
Attachment #474482 - Flags: review?(jorendorff)
Attachment #474478 - Flags: review?(jorendorff)
(Assignee)

Updated

7 years ago
Attachment #474482 - Flags: review?(dvander)
Attachment #474482 - Flags: review?(dvander) → review+
(Assignee)

Comment 14

7 years ago
http://hg.mozilla.org/tracemonkey/rev/1a5fefbe9f2f
http://hg.mozilla.org/mozilla-central/rev/cd3c926a7413

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
I turned off this test in the browser because it uses shapeOf (and fails because of it), which other tests lead me to believe is shell only.

http://hg.mozilla.org/mozilla-central/rev/484bd866905e
Attachment #474482 - Flags: review?(jorendorff) → review+

Comment 16

7 years ago
If this patch has indeed landed on the m-c Trunk build for September 12, 2010, it has fixed things on Google Maps. I have been able to load, get directions, zoom and scroll maps on GMaps on my Win7 system.
(Assignee)

Comment 17

7 years ago
Kyle: thanks for fixing jstests.list -- I propagated your change from m-c to tm. Sorry about the orange.

Ray: thanks for confirming.

/be
(Assignee)

Updated

7 years ago
Duplicate of this bug: 593932
I'm still seeing this crash on trunk, and from the looks of it, so are others.
http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=JSObject%3A%3AremoveProperty%28JSContext*%2C%20int%29&version=Firefox%3A4.0b6pre
I filed bug 596128 for a still-reproducable crash that looks similar to the ones reported here.
(Assignee)

Comment 21

7 years ago
Ryan, Gavin: new and different bug, I'm on it. Thanks for commenting (and filing, Gavin).

/be
(Assignee)

Comment 22

7 years ago
(Maybe not "new" -- perhaps contemporaneous -- but definitely "different".)
Keywords: regression
Blocks: 568275
Blocks: 872381
You need to log in before you can comment on or make changes to this bug.