Closed Bug 657804 Opened 10 years ago Closed 10 years ago

With NoScript installed, "open reftest analyzer" link at TBPL causes hang [@ js::PropertyCache::fill ]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 625600

People

(Reporter: dholbert, Unassigned)

References

()

Details

(Keywords: hang, reproducible, testcase)

Attachments

(2 files)

STEPS TO REPRODUCE:
 1. Install NoScript w/ big green "INSTALL" button http://noscript.net/getit
    (Restart Firefox to complete installation)
 2. Visit http://tbpl.mozilla.org/
 3. Click on an orange "R" reftest run. (If there are none, pick another tbpl page, like http://tbpl.mozilla.org/?tree=Try , and hopefully you'll find one.)
 4. In the box for that reftest run at the bottom, click "Open reftest analyzer"

ACTUAL RESULTS: Throbber spins for a second while page loads, and then a hang.

If I "kill -11" the process, I get this crash-stack:
1 	libxul.so 	js::PropertyCache::fill 	js/src/jsscope.h:744
2 	libxul.so 	ExecuteRegExp 	js/src/yarr/yarr/RegexJIT.h:78
3 	libxul.so 	js_regexp_test 	js/src/jsregexp.cpp:722
4 	libxul.so 	js::Interpret 	js/src/jscntxtinlines.h:277
5 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:684
6 	libxul.so 	js_fun_call 	js/src/jsfun.cpp:2149
7 	libxul.so 	js_fun_apply 	js/src/jsfun.cpp:2167
8 	libxul.so 	js::Interpret 	js/src/jscntxtinlines.h:277

There's no hang if I don't install NoScript.

I can reproduce 100% reliably in latest mozilla-central nightly as well as latest tracemonkey nightly.  Crash reports (for kill -11):
 - nightly:     bp-4edc54d2-6479-49e7-9fed-41a3c2110517
 - tracemonkey: bp-e6beb6f5-28dc-444a-bc1d-f07862110517
(In reply to comment #0)
>  2. Visit http://tbpl.mozilla.org/
>  3. Click on an orange "R" reftest run.
>  4. In the box for that reftest run at the bottom, click "Open reftest analyzer"

Here's an HTML document version of the data URL that gets loaded by that "Open reftest analyzer" link for me.  If I simply load this testcase in lieu of steps 2-4, I hit the hang.

(note that this testcase pulls in a current tinderbox log, so it will likely stop working once that log expires, in a few weeks I think)
(Sorry -- I forgot to note that in the original STR, you have of course have to click to allow scripts on tbpl between steps 2 and 3)
From tweaking the testcase & triggering the hang & running 'kill -11', I got:
 * 5 more crash reports at [@ js::PropertyCache::fill ]
    bp-ed6d7d65-a840-452e-b543-0ff452110517
    bp-5cfd7bc7-8669-4bec-8275-8d3c02110517
    bp-5e52a48e-bec7-4d9a-82ce-464ae2110517
    bp-4dd6d577-7032-4975-ac80-431ae2110517
    bp-73d45488-5211-4f52-a185-4c9c72110517

 * 1 crash report at [@ js_GetMethod ]
    bp-82b453d7-937f-4b85-82af-4dc722110517
I also was able to reproduce this in a debug mozilla-central build with NoScript installed, with the attached testcase.  (after allowing scripts for "mozilla.org" when prompted by NoScript)

No assertion failures or anything particularly suspicious went by in my terminal -- just a hang.
This looks like a bug in Yarr. We're hanging in YarrJIT-generated code. There seems to be some hope that bug 625600 (which pulls in a fresh version of Yarr from Apple) will fix this. Let's put this bug on hold until that one lands and we can check.
Depends on: 625600
Seems to be OK now. I'm closing, but reopen if it's not fixed for you.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 625600
You need to log in before you can comment on or make changes to this bug.