Closed
Bug 611051
Opened 15 years ago
Closed 15 years ago
Firefox/4.0b8pre crash in [@ js::mjit::Compiler::jsop_relational_full(JSOp, int (*)(js::VMFrame&), unsigned char*, JSOp) ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: marcia, Unassigned)
Details
(Keywords: crash, regression)
Crash Data
Seen while reviewing crash stats and new to the 20101110043309 build. http://tinyurl.com/2b9lekx links to all of the crashes so far today. The lone comment mentions that "Minefield is crashing all of the time."
Frame Module Signature [Expand] Source
0 mozjs.dll js::mjit::Compiler::jsop_relational_full js/src/methodjit/FastArithmetic.cpp:1524
1 mozjs.dll js::mjit::Compiler::jsop_relational js/src/methodjit/FastOps.cpp:758
2 mozjs.dll js::mjit::Compiler::generateMethod js/src/methodjit/Compiler.cpp:950
3 mozjs.dll js::mjit::Compiler::performCompilation js/src/methodjit/Compiler.cpp:202
4 mozjs.dll js::mjit::TryCompile js/src/methodjit/Compiler.cpp:235
5 mozjs.dll UncachedInlineCall js/src/methodjit/InvokeHelpers.cpp:387
6 mozjs.dll js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:488
7 mozjs.dll CallCompiler::update js/src/methodjit/MonoIC.cpp:779
8 mozjs.dll js::mjit::ic::Call js/src/methodjit/MonoIC.cpp:837
9 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:739
10 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:764
11 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:781
12 mozjs.dll js::RunScript js/src/jsinterp.cpp:662
13 mozjs.dll js::Invoke js/src/jsinterp.cpp:768
14 mozjs.dll js_fun_apply js/src/jsfun.cpp:2341
15 mozjs.dll CallCompiler::generateNativeStub js/src/methodjit/MonoIC.cpp:627
16 mozjs.dll js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:851
17 @0x76737be
18 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:739
19 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:764
20 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:781
21 mozjs.dll js::RunScript js/src/jsinterp.cpp:662
22 mozjs.dll js::Invoke js/src/jsinterp.cpp:768
23 mozjs.dll js_fun_apply js/src/jsfun.cpp:2341
24 mozjs.dll CallCompiler::generateNativeStub js/src/methodjit/MonoIC.cpp:627
25 mozjs.dll js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:851
26 @0x75aea71
27 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:739
28 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:764
29 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:781
30 mozjs.dll js::RunScript js/src/jsinterp.cpp:662
31 mozjs.dll js::Invoke js/src/jsinterp.cpp:768
32 mozjs.dll js_fun_apply js/src/jsfun.cpp:2341
33 mozjs.dll CallCompiler::generateNativeStub js/src/methodjit/MonoIC.cpp:627
34 mozjs.dll js::mjit::ic::NativeCall js/src/methodjit/MonoIC.cpp:851
35 @0x75ab044
36 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:739
37 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:764
38 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:781
39 mozjs.dll js::RunScript js/src/jsinterp.cpp:662
40 mozjs.dll js::Execute js/src/jsinterp.cpp:1008
41 mozjs.dll JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:4829
42 mozjs.dll JS_EvaluateUCScriptForPrincipalsVersion js/src/jsapi.cpp:4805
43 xul.dll nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1731
|
Reporter | |
Updated•15 years ago
|
Summary: Firefox/4.0b8pre crash in @ js::mjit::Compiler::jsop_relational_full(JSOp, int (*)(js::VMFrame&), unsigned char*, JSOp) ] → Firefox/4.0b8pre crash in [@ js::mjit::Compiler::jsop_relational_full(JSOp, int (*)(js::VMFrame&), unsigned char*, JSOp) ]
|
||
Comment 1•15 years ago
|
||
I checked out a minidump, and it's really weird in MSVC. The disasm at the point of the crash is shown as:
0053915C mov ecx,dword ptr [ebp+2518h]
00539162 db 8bh
00539163 inc esp
00539164 db 24h
00539165 sbb byte ptr [eax-1E3DB9Ch],al
It gives eax=1 in the registers window. 1-1E3DB9Ch -> 0xfe1c2465, which the crash address in the crash report (all of the crash reports for this sig/buildid, in fact). So that much makes sense.
But db/inc/db/sbb is obviously not correct code--it's the kind of thing I see when we mispatch jitcode, for example. But this is in the JS dll. And, if we look at that address in the memory view and disassemble those bytes in a different disassembler, we get sensible code. And that sensible code has a reg/reg instruction at the crash EIP. This pretty much makes no sense.
Assuming that the disassembly is a correct view of that code memory when we crashed, I would think that the user's Firefox binaries got corrupted. But can a minidump possibly send back data that would show corrupted code memory like that? How would I know?
I'm hoping the minidump experts have some insight here.
|
||
Comment 2•15 years ago
|
||
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4ef3abd2012c&tochange=df1d1ff6b489
Keywords: regression
|
||
Comment 3•15 years ago
|
||
dmandelin: I really have no idea how MinidumpWriteDump works internally. When you're inspecting this dump, do you have the corresponding binaries available locally? If so, the memory view might be lying to you and just showing you the file contents instead of the actual memory from the minidump, whereas the disassembly might be actually showing you what's in the minidump. Can you point me at the specific minidump you were looking at?
|
|
||
Comment 4•15 years ago
|
||
I was using:
http://crash-stats.mozilla.com/report/index/a22af1b4-5b18-4f2d-b0e3-fea282101110
I do have the binaries locally. It does kind of make sense that the disassembly would show the "real" info from the minidump--that would mean the crash is caused by corrupted code memory, which would explain why it doesn't seem to have recurred.
|
|
||
Comment 5•15 years ago
|
||
FWIW, that minidump doesn't have a memory range that covers the instruction pointer from comment 1, so I don't know what was going on there.
|
|
||
Comment 6•15 years ago
|
||
(In reply to comment #5)
> FWIW, that minidump doesn't have a memory range that covers the instruction
> pointer from comment 1, so I don't know what was going on there.
Thanks for checking it out. I'm going to assume these reports came in from a parallel universe, since they haven't happened again.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
|
||
Updated•14 years ago
|
Crash Signature: [@ js::mjit::Compiler::jsop_relational_full(JSOp, int (*)(js::VMFrame&), unsigned char*, JSOp) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•