Closed
Bug 666094
Opened 13 years ago
Closed 13 years ago
Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ] (Aurora 6)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: m_kato, Assigned: luke)
References
()
Details
(Keywords: crash, regression, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
4.77 KB,
patch
|
dvander
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
ENV === m-c Nightly 2011-06-20 (Win32 and Win64) STEP ==== 1. Browse http://dhtmlkitchen.com/jstest/scope-chain-performance-iframe.html 2. click [generateTestResults] RESULT ====== bp-dbd6f24f-8e31-465a-8651-6229d2110621 0 mozjs.dll js::StackFrame::initJitFrameLatePrologue js/src/vm/Stack-inl.h:179 1 mozjs.dll js::mjit::stubs::CompileFunction js/src/methodjit/InvokeHelpers.cpp:286 2 xul.dll nsXPConnect::WrapNativeToJSVal js/src/xpconnect/src/nsXPConnect.cpp:1344 3 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5098 4 @0x136a1c7f Not repro on Firefox 4 and 5.
Reporter | ||
Updated•13 years ago
|
Summary: Crash [@ js::StackFrame::initJitFrameLatePrologue() ] when running → Crash [@ js::StackFrame::initJitFrameLatePrologue() ]
Comment 1•13 years ago
|
||
Can you get us a regression range on this?
Keywords: regressionwindow-wanted
Reporter | ||
Comment 2•13 years ago
|
||
Repro -> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-27-03-tracemonkey/firefox-6.0a1.en-US.win32.zip Not Repro -> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-26-03-tracemonkey/firefox-6.0a1.en-US.win32.zip http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=3c3f44c79685&tochange=d433ee7d9f86 User Push date [To Local] Changeset Patch author — Commit message jwalden@mit.edu Tue Apr 26 19:47:42 2011 -0700 d433ee7d9f86 Jeff Walden — Bug 647385 - Implement a ToInteger helper that corresponds to the spec method (rather than inlining its contents everywhere it can be trivially used). Also fixes a couple bugs in one place that should have used ToInteger but didn't. r=cdleary f1751a93f665 Jeff Walden — Bug 512266 - JSON.stringify for various special characters should produce the corresponding one-character escapes. r=pbiggar a7b220e7425a Jeff Walden — Bug 635389 - Check for overrecursion in functions that might need it. r=jorendorff 8f7cf9d0b636 Jeff Walden — Bug 650574 - No recursion checks converting a cyclic object to source, if the object's toSource hooks are built-in functions. r=luke cleary@mozilla.com Tue Apr 26 15:26:18 2011 -0700 17dffff00f56 Chris Leary — Passing bug 646184 crashtest assertion. (r=dbaron) lwagner@mozilla.com Tue Apr 26 14:33:57 2011 -0700 c08f97b3f842 Luke Wagner — Fix linker error. I fixed this in the patch I pushed to try but seem to have lost it in the meantime (r=burning-windows) lwagner@mozilla.com Tue Apr 26 13:39:40 2011 -0700 7faf405fa9f0 Luke Wagner — Fix --disable-methodjit bustage (r=red) lwagner@mozilla.com Tue Apr 26 13:27:51 2011 -0700 e9da34dfa8c5 Luke Wagner — Bug 644074 - Simplify and consolidate VM stack code into js/src/vm/Stack* cleary@mozilla.com Tue Apr 26 10:43:47 2011 -0700 28bc239d3d9d Chris Leary — Merge mozilla-central and tracemonkey. ← 489 hidden changesets [Expand] evilpies@gmail.com Tue Apr 26 07:26:53 2011 -0700 3dc303216231 Tom Schuster — Fix style nit request in Bug 651973 r=jorendorff via irc jandemooij@gmail.com Tue Apr 26 01:31:30 2011 -0700 de7b0f3323c1 Jan de Mooij — Bug 646938 - Fix NaN-check in jsop_
Crash Signature: @ js::StackFrame::initJitFrameLatePrologue() → [@ js::StackFrame::initJitFrameLatePrologue() ]
Reporter | ||
Comment 3•13 years ago
|
||
This can reproduce on Aurora (bp-ed985971-90ca-4af2-9bfb-1d8252110621). requesting blocking for version 6.
Crash Signature: [@ js::StackFrame::initJitFrameLatePrologue() ] → [@ js::StackFrame::initJitFrameLatePrologue() ][@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ]
tracking-firefox6:
--- → ?
Summary: Crash [@ js::StackFrame::initJitFrameLatePrologue() ] → Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ] (Aurora 6)
Comment 4•13 years ago
|
||
In local build: build from c08f97b3f842: crash build from 28bc239d3d9d: not crash Suspected bug: Bug 644074
Assignee | ||
Comment 6•13 years ago
|
||
It looks like this is a pre-existing bug hidden by the old STACK_QUOTA nonsense which bug 644074 removed. The bug is that CompileFunction is not checking the stack limit before initializing locals.
Assignee | ||
Comment 7•13 years ago
|
||
Simple enough fix, mostly just copying the relevant bits of generatePrologue+HitStackQuota.
Attachment #541233 -
Flags: review?(dvander)
Comment 8•13 years ago
|
||
not going to track but if you come back when it's been reviewed and you can give us a risk vs reward analysis, we'll evaluate then.
Updated•13 years ago
|
Comment on attachment 541233 [details] [diff] [review] fix and test Review of attachment 541233 [details] [diff] [review]: -----------------------------------------------------------------
Attachment #541233 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 10•13 years ago
|
||
This is currently on aurora (not beta) and I think this is a low risk fix to land. IIUC, that means tracking-firefox7, not 6?
tracking-firefox7:
--- → ?
Assignee | ||
Comment 11•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/f4237a8313ea
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 12•13 years ago
|
||
Oops, Aurora reports 6.0a2, so then I should request tracking-firefox6.
Comment 13•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/f4237a8313ea
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
tracking-firefox7:
? → ---
Comment 14•13 years ago
|
||
Comment on attachment 541233 [details] [diff] [review] fix and test Approved for releases/mozilla-aurora. Please land by 2011-07-05 @ 9:00 am PDT
Attachment #541233 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 15•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/43e6c03cdb34
Comment 16•13 years ago
|
||
Looks like this made the uplift to Beta. Do we still need to track this for 6?
status-firefox6:
--- → fixed
Assignee | ||
Comment 17•13 years ago
|
||
I think we're good.
Comment 18•13 years ago
|
||
No crash on Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 beta 5 Setting resolution to Verified Fixed.
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Keywords: regressionwindow-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•