Last Comment Bug 666094 - Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::CompileFunction(js::VMFrame&, unsigned int) ] (Aurora 6)
: Crash [@ js::StackFrame::initJitFrameLatePrologue() ] / [@ js::mjit::stubs::C...
Status: VERIFIED FIXED
fixed-in-tracemonkey
: crash, regression
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Windows Vista
: -- critical (vote)
: ---
Assigned To: Luke Wagner [:luke]
:
: Jason Orendorff [:jorendorff]
Mentors:
http://dhtmlkitchen.com/jstest/scope-...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-21 18:38 PDT by Makoto Kato [:m_kato]
Modified: 2015-10-07 18:51 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed


Attachments
fix and test (4.77 KB, patch)
2011-06-22 17:06 PDT, Luke Wagner [:luke]
dvander: review+
christian: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description Makoto Kato [:m_kato] 2011-06-21 18:38:01 PDT
ENV
===
m-c Nightly 2011-06-20 (Win32 and Win64)

STEP
====
1. Browse http://dhtmlkitchen.com/jstest/scope-chain-performance-iframe.html
2. click [generateTestResults]

RESULT
======
bp-dbd6f24f-8e31-465a-8651-6229d2110621

0 	mozjs.dll 	js::StackFrame::initJitFrameLatePrologue 	js/src/vm/Stack-inl.h:179
1 	mozjs.dll 	js::mjit::stubs::CompileFunction 	js/src/methodjit/InvokeHelpers.cpp:286
2 	xul.dll 	nsXPConnect::WrapNativeToJSVal 	js/src/xpconnect/src/nsXPConnect.cpp:1344
3 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5098
4 		@0x136a1c7f 	

Not repro on Firefox 4 and 5.
Comment 1 David Mandelin [:dmandelin] 2011-06-21 18:39:43 PDT
Can you get us a regression range on this?
Comment 2 Makoto Kato [:m_kato] 2011-06-21 19:32:26 PDT
Repro -> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-27-03-tracemonkey/firefox-6.0a1.en-US.win32.zip

Not Repro ->  ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-26-03-tracemonkey/firefox-6.0a1.en-US.win32.zip


http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=3c3f44c79685&tochange=d433ee7d9f86
User
Push date [To Local]	Changeset	Patch author — Commit message
jwalden@mit.edu
Tue Apr 26 19:47:42 2011 -0700	d433ee7d9f86	Jeff Walden — Bug 647385 - Implement a ToInteger helper that corresponds to the spec method (rather than inlining its contents everywhere it can be trivially used). Also fixes a couple bugs in one place that should have used ToInteger but didn't. r=cdleary
	f1751a93f665	Jeff Walden — Bug 512266 - JSON.stringify for various special characters should produce the corresponding one-character escapes. r=pbiggar
	a7b220e7425a	Jeff Walden — Bug 635389 - Check for overrecursion in functions that might need it. r=jorendorff
	8f7cf9d0b636	Jeff Walden — Bug 650574 - No recursion checks converting a cyclic object to source, if the object's toSource hooks are built-in functions. r=luke
cleary@mozilla.com
Tue Apr 26 15:26:18 2011 -0700	17dffff00f56	Chris Leary — Passing bug 646184 crashtest assertion. (r=dbaron)
lwagner@mozilla.com
Tue Apr 26 14:33:57 2011 -0700	c08f97b3f842	Luke Wagner — Fix linker error. I fixed this in the patch I pushed to try but seem to have lost it in the meantime (r=burning-windows)
lwagner@mozilla.com
Tue Apr 26 13:39:40 2011 -0700	7faf405fa9f0	Luke Wagner — Fix --disable-methodjit bustage (r=red)
lwagner@mozilla.com
Tue Apr 26 13:27:51 2011 -0700	e9da34dfa8c5	Luke Wagner — Bug 644074 - Simplify and consolidate VM stack code into js/src/vm/Stack*
cleary@mozilla.com
Tue Apr 26 10:43:47 2011 -0700	28bc239d3d9d	Chris Leary — Merge mozilla-central and tracemonkey.
← 489 hidden changesets [Expand]
evilpies@gmail.com
Tue Apr 26 07:26:53 2011 -0700	3dc303216231	Tom Schuster — Fix style nit request in Bug 651973 r=jorendorff via irc
jandemooij@gmail.com
Tue Apr 26 01:31:30 2011 -0700	de7b0f3323c1	Jan de Mooij — Bug 646938 - Fix NaN-check in jsop_
Comment 3 Makoto Kato [:m_kato] 2011-06-21 20:13:37 PDT
This can reproduce on Aurora (bp-ed985971-90ca-4af2-9bfb-1d8252110621).  requesting blocking for version 6.
Comment 4 Alice0775 White 2011-06-22 05:43:20 PDT
In local build:
build from c08f97b3f842: crash
build from 28bc239d3d9d: not crash
Suspected bug: Bug 644074
Comment 5 Luke Wagner [:luke] 2011-06-22 08:45:59 PDT
investigating
Comment 6 Luke Wagner [:luke] 2011-06-22 12:59:44 PDT
It looks like this is a pre-existing bug hidden by the old STACK_QUOTA nonsense which bug 644074 removed.  The bug is that CompileFunction is not checking the stack limit before initializing locals.
Comment 7 Luke Wagner [:luke] 2011-06-22 17:06:21 PDT
Created attachment 541233 [details] [diff] [review]
fix and test

Simple enough fix, mostly just copying the relevant bits of generatePrologue+HitStackQuota.
Comment 8 Asa Dotzler [:asa] 2011-06-23 14:34:29 PDT
not going to track but if you come back when it's been reviewed and you can give us a risk vs reward analysis, we'll evaluate then.
Comment 9 David Anderson [:dvander] 2011-06-24 15:49:19 PDT
Comment on attachment 541233 [details] [diff] [review]
fix and test

Review of attachment 541233 [details] [diff] [review]:
-----------------------------------------------------------------
Comment 10 Luke Wagner [:luke] 2011-06-24 16:00:40 PDT
This is currently on aurora (not beta) and I think this is a low risk fix to land.  IIUC, that means tracking-firefox7, not 6?
Comment 11 Luke Wagner [:luke] 2011-06-24 16:13:16 PDT
http://hg.mozilla.org/tracemonkey/rev/f4237a8313ea
Comment 12 Luke Wagner [:luke] 2011-06-25 21:09:36 PDT
Oops, Aurora reports 6.0a2, so then I should request tracking-firefox6.
Comment 13 Chris Leary [:cdleary] (not checking bugmail) 2011-06-27 11:41:27 PDT
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/f4237a8313ea
Comment 14 christian 2011-06-30 15:05:11 PDT
Comment on attachment 541233 [details] [diff] [review]
fix and test

Approved for releases/mozilla-aurora. Please land by 2011-07-05 @ 9:00 am PDT
Comment 16 Asa Dotzler [:asa] 2011-07-17 23:45:17 PDT
Looks like this made the uplift to Beta. Do we still need to track this for 6?
Comment 17 Luke Wagner [:luke] 2011-07-18 11:33:09 PDT
I think we're good.
Comment 18 Vlad [QA] 2011-08-10 06:31:59 PDT
No crash on Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 beta 5

Setting resolution to Verified Fixed.

Note You need to log in before you can comment on or make changes to this bug.