Closed Bug 657804 Opened 10 years ago Closed 10 years ago
Script installed, "open reftest analyzer" link at TBPL causes hang [@ js::Property Cache::fill ]
STEPS TO REPRODUCE: 1. Install NoScript w/ big green "INSTALL" button http://noscript.net/getit (Restart Firefox to complete installation) 2. Visit http://tbpl.mozilla.org/ 3. Click on an orange "R" reftest run. (If there are none, pick another tbpl page, like http://tbpl.mozilla.org/?tree=Try , and hopefully you'll find one.) 4. In the box for that reftest run at the bottom, click "Open reftest analyzer" ACTUAL RESULTS: Throbber spins for a second while page loads, and then a hang. If I "kill -11" the process, I get this crash-stack: 1 libxul.so js::PropertyCache::fill js/src/jsscope.h:744 2 libxul.so ExecuteRegExp js/src/yarr/yarr/RegexJIT.h:78 3 libxul.so js_regexp_test js/src/jsregexp.cpp:722 4 libxul.so js::Interpret js/src/jscntxtinlines.h:277 5 libxul.so js::Invoke js/src/jsinterp.cpp:684 6 libxul.so js_fun_call js/src/jsfun.cpp:2149 7 libxul.so js_fun_apply js/src/jsfun.cpp:2167 8 libxul.so js::Interpret js/src/jscntxtinlines.h:277 There's no hang if I don't install NoScript. I can reproduce 100% reliably in latest mozilla-central nightly as well as latest tracemonkey nightly. Crash reports (for kill -11): - nightly: bp-4edc54d2-6479-49e7-9fed-41a3c2110517 - tracemonkey: bp-e6beb6f5-28dc-444a-bc1d-f07862110517
(In reply to comment #0) > 2. Visit http://tbpl.mozilla.org/ > 3. Click on an orange "R" reftest run. > 4. In the box for that reftest run at the bottom, click "Open reftest analyzer" Here's an HTML document version of the data URL that gets loaded by that "Open reftest analyzer" link for me. If I simply load this testcase in lieu of steps 2-4, I hit the hang. (note that this testcase pulls in a current tinderbox log, so it will likely stop working once that log expires, in a few weeks I think)
(Sorry -- I forgot to note that in the original STR, you have of course have to click to allow scripts on tbpl between steps 2 and 3)
From tweaking the testcase & triggering the hang & running 'kill -11', I got: * 5 more crash reports at [@ js::PropertyCache::fill ] bp-ed6d7d65-a840-452e-b543-0ff452110517 bp-5cfd7bc7-8669-4bec-8275-8d3c02110517 bp-5e52a48e-bec7-4d9a-82ce-464ae2110517 bp-4dd6d577-7032-4975-ac80-431ae2110517 bp-73d45488-5211-4f52-a185-4c9c72110517 * 1 crash report at [@ js_GetMethod ] bp-82b453d7-937f-4b85-82af-4dc722110517
I also was able to reproduce this in a debug mozilla-central build with NoScript installed, with the attached testcase. (after allowing scripts for "mozilla.org" when prompted by NoScript) No assertion failures or anything particularly suspicious went by in my terminal -- just a hang.
This looks like a bug in Yarr. We're hanging in YarrJIT-generated code. There seems to be some hope that bug 625600 (which pulls in a fresh version of Yarr from Apple) will fix this. Let's put this bug on hold until that one lands and we can check.
Seems to be OK now. I'm closing, but reopen if it's not fixed for you.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 625600
You need to log in before you can comment on or make changes to this bug.