The default bug view has changed. See this FAQ.

Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ] (Aurora 6)

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
2 years ago

People

(Reporter: m_kato, Assigned: luke)

Tracking

({crash, regression})

Trunk
x86
Windows Vista
crash, regression
Points:
---

Firefox Tracking Flags

(firefox6+ fixed)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
ENV
===
m-c Nightly 2011-06-20 (Win32 and Win64)

STEP
====
1. Browse http://dhtmlkitchen.com/jstest/scope-chain-performance-iframe.html
2. click [generateTestResults]

RESULT
======
bp-dbd6f24f-8e31-465a-8651-6229d2110621

0 	mozjs.dll 	js::StackFrame::initJitFrameLatePrologue 	js/src/vm/Stack-inl.h:179
1 	mozjs.dll 	js::mjit::stubs::CompileFunction 	js/src/methodjit/InvokeHelpers.cpp:286
2 	xul.dll 	nsXPConnect::WrapNativeToJSVal 	js/src/xpconnect/src/nsXPConnect.cpp:1344
3 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5098
4 		@0x136a1c7f 	

Not repro on Firefox 4 and 5.
(Reporter)

Updated

6 years ago
Summary: Crash [@ js::StackFrame::initJitFrameLatePrologue() ] when running → Crash [@ js::StackFrame::initJitFrameLatePrologue() ]
Can you get us a regression range on this?
Keywords: regressionwindow-wanted
(Reporter)

Comment 2

6 years ago
Repro -> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-27-03-tracemonkey/firefox-6.0a1.en-US.win32.zip

Not Repro ->  ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-26-03-tracemonkey/firefox-6.0a1.en-US.win32.zip


http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=3c3f44c79685&tochange=d433ee7d9f86
User
Push date [To Local]	Changeset	Patch author — Commit message
jwalden@mit.edu
Tue Apr 26 19:47:42 2011 -0700	d433ee7d9f86	Jeff Walden — Bug 647385 - Implement a ToInteger helper that corresponds to the spec method (rather than inlining its contents everywhere it can be trivially used). Also fixes a couple bugs in one place that should have used ToInteger but didn't. r=cdleary
	f1751a93f665	Jeff Walden — Bug 512266 - JSON.stringify for various special characters should produce the corresponding one-character escapes. r=pbiggar
	a7b220e7425a	Jeff Walden — Bug 635389 - Check for overrecursion in functions that might need it. r=jorendorff
	8f7cf9d0b636	Jeff Walden — Bug 650574 - No recursion checks converting a cyclic object to source, if the object's toSource hooks are built-in functions. r=luke
cleary@mozilla.com
Tue Apr 26 15:26:18 2011 -0700	17dffff00f56	Chris Leary — Passing bug 646184 crashtest assertion. (r=dbaron)
lwagner@mozilla.com
Tue Apr 26 14:33:57 2011 -0700	c08f97b3f842	Luke Wagner — Fix linker error. I fixed this in the patch I pushed to try but seem to have lost it in the meantime (r=burning-windows)
lwagner@mozilla.com
Tue Apr 26 13:39:40 2011 -0700	7faf405fa9f0	Luke Wagner — Fix --disable-methodjit bustage (r=red)
lwagner@mozilla.com
Tue Apr 26 13:27:51 2011 -0700	e9da34dfa8c5	Luke Wagner — Bug 644074 - Simplify and consolidate VM stack code into js/src/vm/Stack*
cleary@mozilla.com
Tue Apr 26 10:43:47 2011 -0700	28bc239d3d9d	Chris Leary — Merge mozilla-central and tracemonkey.
← 489 hidden changesets [Expand]
evilpies@gmail.com
Tue Apr 26 07:26:53 2011 -0700	3dc303216231	Tom Schuster — Fix style nit request in Bug 651973 r=jorendorff via irc
jandemooij@gmail.com
Tue Apr 26 01:31:30 2011 -0700	de7b0f3323c1	Jan de Mooij — Bug 646938 - Fix NaN-check in jsop_
Crash Signature: @ js::StackFrame::initJitFrameLatePrologue() → [@ js::StackFrame::initJitFrameLatePrologue() ]
(Reporter)

Comment 3

6 years ago
This can reproduce on Aurora (bp-ed985971-90ca-4af2-9bfb-1d8252110621).  requesting blocking for version 6.
Crash Signature: [@ js::StackFrame::initJitFrameLatePrologue() ] → [@ js::StackFrame::initJitFrameLatePrologue() ][@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ]
tracking-firefox6: --- → ?
Summary: Crash [@ js::StackFrame::initJitFrameLatePrologue() ] → Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ] (Aurora 6)

Comment 4

6 years ago
In local build:
build from c08f97b3f842: crash
build from 28bc239d3d9d: not crash
Suspected bug: Bug 644074
Severity: normal → critical
Keywords: crash
(Assignee)

Comment 5

6 years ago
investigating
Assignee: general → luke
(Assignee)

Comment 6

6 years ago
It looks like this is a pre-existing bug hidden by the old STACK_QUOTA nonsense which bug 644074 removed.  The bug is that CompileFunction is not checking the stack limit before initializing locals.
(Assignee)

Comment 7

6 years ago
Created attachment 541233 [details] [diff] [review]
fix and test

Simple enough fix, mostly just copying the relevant bits of generatePrologue+HitStackQuota.
Attachment #541233 - Flags: review?(dvander)

Comment 8

6 years ago
not going to track but if you come back when it's been reviewed and you can give us a risk vs reward analysis, we'll evaluate then.

Updated

6 years ago
tracking-firefox6: ? → -
Comment on attachment 541233 [details] [diff] [review]
fix and test

Review of attachment 541233 [details] [diff] [review]:
-----------------------------------------------------------------
Attachment #541233 - Flags: review?(dvander) → review+
(Assignee)

Comment 10

6 years ago
This is currently on aurora (not beta) and I think this is a low risk fix to land.  IIUC, that means tracking-firefox7, not 6?
tracking-firefox7: --- → ?
(Assignee)

Comment 11

6 years ago
http://hg.mozilla.org/tracemonkey/rev/f4237a8313ea
Whiteboard: fixed-in-tracemonkey
(Assignee)

Comment 12

6 years ago
Oops, Aurora reports 6.0a2, so then I should request tracking-firefox6.
tracking-firefox6: - → ?
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/f4237a8313ea
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

6 years ago
tracking-firefox6: ? → +
tracking-firefox7: ? → ---

Comment 14

6 years ago
Comment on attachment 541233 [details] [diff] [review]
fix and test

Approved for releases/mozilla-aurora. Please land by 2011-07-05 @ 9:00 am PDT
Attachment #541233 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 15

6 years ago
http://hg.mozilla.org/releases/mozilla-aurora/rev/43e6c03cdb34

Comment 16

6 years ago
Looks like this made the uplift to Beta. Do we still need to track this for 6?
status-firefox6: --- → fixed
(Assignee)

Comment 17

6 years ago
I think we're good.

Comment 18

6 years ago
No crash on Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 beta 5

Setting resolution to Verified Fixed.
Status: RESOLVED → VERIFIED
Keywords: regressionwindow-wanted
You need to log in before you can comment on or make changes to this bug.