Last Comment Bug 683207 - crash js::mjit::EnterMethodJIT
: crash js::mjit::EnterMethodJIT
js-triage-needed [qa-]
: crash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Windows 7
-- critical (vote)
: mozilla9
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: SadJägerMonkey
  Show dependency treegraph
Reported: 2011-08-30 10:40 PDT by WildcatRay
Modified: 2013-12-27 14:27 PST (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.56 KB, patch)
2011-08-30 19:09 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description User image WildcatRay 2011-08-30 10:40:37 PDT
This bug was filed from the Socorro interface and is 
report bp-e5e6d8d2-718b-40f7-8d3e-cf7c62110830 .

I am filing this bug for the user who actually experienced it.

More crash reports for the page in question:

Also, not sure of the proper component, so chose General for the moment.
Comment 1 User image David Mandelin [:dmandelin] 2011-08-30 11:28:17 PDT
Does the linked URL crash reliably, or only sometimes?
Comment 2 User image Antti Tervasmäki 2011-08-30 12:21:31 PDT
For me that link has crashed every time I let Noscript to "allow all this page" but not if I allow only
Comment 3 User image WildcatRay 2011-08-30 12:22:17 PDT
For me, it has not crashed at all. Others in the mozillazine forum ( evidently are only seeing this intermittently if they seeing more than one crash.
Comment 4 User image Jim Jeffery not reading bug-mail 1/2/11 2011-08-30 12:25:07 PDT
For me, its 100%, even with a new profile.

Win7 64bit..
Comment 5 User image WildcatRay 2011-08-30 12:27:00 PDT
I tried, again, after disabling AdBlock Plus and got this crash:
Comment 6 User image Brian Hackett (:bhackett) 2011-08-30 15:04:29 PDT
For me this page crashes reliably in a TI nightly from a few days ago.  Looking into now...
Comment 7 User image :Felipe Gomes (needinfo me!) 2011-08-30 18:44:51 PDT
This page crashes it every time for me on today's nightly (built from e6591ea9b27b):
Comment 8 User image Brian Hackett (:bhackett) 2011-08-30 19:09:08 PDT
Created attachment 557071 [details] [diff] [review]

Patch for the crash.  Regalloc bug when hoisting computations from accesses like arguments[x].  I'm not sure how many of the EnterMethodJIT crashes this will address (this is a blanket signature for all jitcode crashes), but all the crashes I looked at *could* have been caused by this bug.
Comment 9 User image Brian Hackett (:bhackett) 2011-08-30 19:26:44 PDT
Comment 10 User image Jim Jeffery not reading bug-mail 1/2/11 2011-08-31 03:18:23 PDT
Just tested with an hourly build based on cset: 

and no more crashes on the linked URL as reported.  Thanks for the quick work.  Do want to leave this open, or should it be now be closed ?
Comment 11 User image Brian Hackett (:bhackett) 2011-08-31 05:54:04 PDT
Lets close this one, future jitcode crashes with this signature will be for different reasons.  I also tested the link in comment 7 with and without this patch, and it looks to be the same (fixed) issue.
Comment 12 User image Asa Dotzler [:asa] 2011-09-01 14:43:13 PDT
Scooby, this isn't the bug you're looking for. This is brand new code.
Comment 13 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-11-21 16:57:15 PST
Can someone on this bug who was able to reproduce it before please verify the fix on Firefox 9?
Comment 14 User image Antti Tervasmäki 2011-12-01 09:12:19 PST
At least for for me, no crash anymore using Firefox 9b4: 
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0 ID:20111130065942

Note You need to log in before you can comment on or make changes to this bug.