Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Alice0775 White, Assigned: bhackett)

Tracking

({crash, regression})

Trunk
x86
All
crash, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
This bug was filed from the Socorro interface and is 
report bp-08df7520-37e4-45cd-96c8-a52c72110920 .
============================================================= 

Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905

Browser crashes when zoom-in Google Maps


Reproducible: Always

Steps to Reproduce:
1. Open Firefox with clean profile
2. Open http://maps.google.com/
3. Zoom in maps by mouse wheel or slider


Actual Results:
  Browser crashes
  
Expected Results:
  Browser should not crash


Regression window(m-c)
Works:
http://hg.mozilla.org/mozilla-central/rev/ea2f892d9439
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1 ID:20110919123348
Crashes:
http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ea2f892d9439&tochange=648d084ca28e
(Reporter)

Updated

6 years ago
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
(Assignee)

Updated

6 years ago
Assignee: general → bhackett1024
Using build based on hourly m-c win32:
https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9

I saw no crashes after playing with google-maps quite a bit trying to make it crash.

Comment 2

6 years ago
Would mozjs.dll@0x13d9a be considered a different signature?

From crash report https://crash-stats.mozilla.com/report/index/bp-6edcf16c-7c5c-41dd-87d3-5b6242110920
(Reporter)

Comment 3

6 years ago
(In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #1)
> Using build based on hourly m-c win32:
> https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> 
> I saw no crashes after playing with google-maps quite a bit trying to make
> it crash.
using latest m-c hourly
http://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1 ID:20110919225448

It also crashes
bp-b1af37ee-5f92-4d1f-b135-419582110920
(In reply to Alice0775 White from comment #3)
> (In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #1)
> > Using build based on hourly m-c win32:
> > https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> > 
> > I saw no crashes after playing with google-maps quite a bit trying to make
> > it crash.
> using latest m-c hourly
> http://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1
> ID:20110919225448
> 
> It also crashes
> bp-b1af37ee-5f92-4d1f-b135-419582110920

Indeed, I just re-tested.  seems to crash about the 3rd click on the + arrow to zoom in the map.

Comment 5

6 years ago
(In reply to Ray Murphy (WildcatRay) from comment #2)
> Would mozjs.dll@0x13d9a be considered a different signature?
> 
> From crash report
> https://crash-stats.mozilla.com/report/index/bp-6edcf16c-7c5c-41dd-87d3-
> 5b6242110920

On this crash, I used the mouse wheel to zoom in one click. Then, after a momentary pause, I zoomed out one click. Shortly thereafter, the browser crashed.
(Assignee)

Comment 6

6 years ago
On Mac I can't get this to reproduce at all, but it does on Windows.  It may only manifest on x86.  Building a windows tree...

Comment 7

6 years ago
I see the crash on a clean profile with Windows XP on today's nightly. It seems to happen after three or four middle-mouse zooms. I was not able to cause a crash in safe mode (two attempts of about two minutes of constant scrolling each time).

http://crash-stats.mozilla.com/report/index/bp-c31e5a5b-22be-464d-adff-3cf172110920
http://crash-stats.mozilla.com/report/index/bp-5a854cc6-a9a2-43b9-9204-e380c2110920
http://crash-stats.mozilla.com/report/index/bp-f5c88986-747d-43b7-b64d-1f1032110920
OS: Windows 7 → All
(Reporter)

Comment 8

6 years ago
On Linux build
bp-60f98c91-aed7-48cb-b540-c12c22110920

http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (X11; Linux i686; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905
(Assignee)

Comment 9

6 years ago
Created attachment 561275 [details] [diff] [review]
patch

Regression from bug 686000.  After returning from a stub call we check the result type against observed types while still in jitcode, but could clobber a live register while doing so --- the FrameState keeps callee-save registers live across inline stub calls.
Attachment #561275 - Flags: review?(dvander)
Attachment #561275 - Flags: review?(dvander) → review+
(Assignee)

Comment 10

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/397abdbd54a8
Whiteboard: inbound
Summary: crash mozjs → crash [@ mozjs.dll]
(Assignee)

Comment 11

6 years ago
Also landed straight to m-c to make sure this ends up in tomorrow's nightly.

https://hg.mozilla.org/mozilla-central/rev/2d29d3a3b314
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: inbound

Comment 12

6 years ago
Using today's Nightly nightly, it appears that the patch has fixed things. Thanks, Brian.
(Assignee)

Updated

6 years ago
Duplicate of this bug: 688971
You need to log in before you can comment on or make changes to this bug.