crash js::mjit::EnterMethodJIT

RESOLVED FIXED in Firefox 9

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: WildcatRay, Unassigned)

Tracking

({crash})

Trunk
mozilla9
x86_64
Windows 7
crash
Points:
---

Firefox Tracking Flags

(firefox7-, firefox8-, firefox9+ fixed)

Details

(Whiteboard: js-triage-needed [qa-], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
This bug was filed from the Socorro interface and is 
report bp-e5e6d8d2-718b-40f7-8d3e-cf7c62110830 .
============================================================= 

I am filing this bug for the user who actually experienced it.

More crash reports for the page in question:
https://crash-stats.mozilla.com/report/index/35465366-ddf6-4538-b332-6ac9d2110830
https://crash-stats.mozilla.com/report/index/bp-4bbf8cb0-8a29-4b38-b3cf-e3f062110830

Also, not sure of the proper component, so chose General for the moment.

Updated

6 years ago
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Does the linked URL crash reliably, or only sometimes?
Depends on: 595351
Whiteboard: js-triage-needed

Updated

6 years ago
Blocks: 595351
No longer depends on: 595351

Comment 2

6 years ago
For me that link has crashed every time I let Noscript to "allow all this page" but not if I allow only rchelicopterfun.com...
(Reporter)

Comment 3

6 years ago
For me, it has not crashed at all. Others in the mozillazine forum (http://forums.mozillazine.org/viewtopic.php?p=11194661#p11194661) evidently are only seeing this intermittently if they seeing more than one crash.
For me, its 100%, even with a new profile.

Win7 64bit..
(Reporter)

Comment 5

6 years ago
I tried, again, after disabling AdBlock Plus and got this crash:

https://crash-stats.mozilla.com/report/index/bp-4d85502a-7593-46ae-b0a9-8b1622110830
For me this page crashes reliably in a TI nightly from a few days ago.  Looking into now...

http://www.rchelicopterfun.com/best-rc-helicopter.html
This page crashes it every time for me on today's nightly (built from e6591ea9b27b):
http://www.favbrowser.com/mozilla-previews-firefox-for-tablets/
Created attachment 557071 [details] [diff] [review]
patch

Patch for the rchelicopters.com crash.  Regalloc bug when hoisting computations from accesses like arguments[x].  I'm not sure how many of the EnterMethodJIT crashes this will address (this is a blanket signature for all jitcode crashes), but all the crashes I looked at *could* have been caused by this bug.
Attachment #557071 - Flags: review?(dvander)
Attachment #557071 - Flags: review?(dvander) → review+
http://hg.mozilla.org/mozilla-central/rev/005bce677a00
Just tested with an hourly build based on cset:
http://hg.mozilla.org/mozilla-central/rev/005bce677a00 

and no more crashes on the linked URL as reported.  Thanks for the quick work.  Do want to leave this open, or should it be now be closed ?
Lets close this one, future jitcode crashes with this signature will be for different reasons.  I also tested the link in comment 7 with and without this patch, and it looks to be the same (fixed) issue.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

6 years ago
status-firefox7: --- → affected
status-firefox8: --- → affected
tracking-firefox7: --- → ?
tracking-firefox8: --- → ?
Target Milestone: --- → mozilla9

Comment 12

6 years ago
Scooby, this isn't the bug you're looking for. This is brand new code.
status-firefox7: affected → ---
status-firefox8: affected → ---
tracking-firefox7: ? → -
tracking-firefox8: ? → -
status-firefox9: --- → fixed
tracking-firefox9: --- → +
Can someone on this bug who was able to reproduce it before please verify the fix on Firefox 9?
Whiteboard: js-triage-needed → js-triage-needed [qa-]

Comment 14

6 years ago
At least for for me, no crash anymore using Firefox 9b4: 
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0 ID:20111130065942
You need to log in before you can comment on or make changes to this bug.