Closed Bug 687856 Opened 13 years ago Closed 13 years ago

crash [@ mozjs.dll]

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: alice0775, Assigned: bhackett1024)

References

()

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-08df7520-37e4-45cd-96c8-a52c72110920 .
============================================================= 

Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905

Browser crashes when zoom-in Google Maps


Reproducible: Always

Steps to Reproduce:
1. Open Firefox with clean profile
2. Open http://maps.google.com/
3. Zoom in maps by mouse wheel or slider


Actual Results:
  Browser crashes
  
Expected Results:
  Browser should not crash


Regression window(m-c)
Works:
http://hg.mozilla.org/mozilla-central/rev/ea2f892d9439
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1 ID:20110919123348
Crashes:
http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ea2f892d9439&tochange=648d084ca28e
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Assignee: general → bhackett1024
Using build based on hourly m-c win32:
https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9

I saw no crashes after playing with google-maps quite a bit trying to make it crash.
Would mozjs.dll@0x13d9a be considered a different signature?

From crash report https://crash-stats.mozilla.com/report/index/bp-6edcf16c-7c5c-41dd-87d3-5b6242110920
(In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #1)
> Using build based on hourly m-c win32:
> https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> 
> I saw no crashes after playing with google-maps quite a bit trying to make
> it crash.
using latest m-c hourly
http://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1 ID:20110919225448

It also crashes
bp-b1af37ee-5f92-4d1f-b135-419582110920
(In reply to Alice0775 White from comment #3)
> (In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #1)
> > Using build based on hourly m-c win32:
> > https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> > 
> > I saw no crashes after playing with google-maps quite a bit trying to make
> > it crash.
> using latest m-c hourly
> http://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1
> ID:20110919225448
> 
> It also crashes
> bp-b1af37ee-5f92-4d1f-b135-419582110920

Indeed, I just re-tested.  seems to crash about the 3rd click on the + arrow to zoom in the map.
(In reply to Ray Murphy (WildcatRay) from comment #2)
> Would mozjs.dll@0x13d9a be considered a different signature?
> 
> From crash report
> https://crash-stats.mozilla.com/report/index/bp-6edcf16c-7c5c-41dd-87d3-
> 5b6242110920

On this crash, I used the mouse wheel to zoom in one click. Then, after a momentary pause, I zoomed out one click. Shortly thereafter, the browser crashed.
On Mac I can't get this to reproduce at all, but it does on Windows.  It may only manifest on x86.  Building a windows tree...
I see the crash on a clean profile with Windows XP on today's nightly. It seems to happen after three or four middle-mouse zooms. I was not able to cause a crash in safe mode (two attempts of about two minutes of constant scrolling each time).

http://crash-stats.mozilla.com/report/index/bp-c31e5a5b-22be-464d-adff-3cf172110920
http://crash-stats.mozilla.com/report/index/bp-5a854cc6-a9a2-43b9-9204-e380c2110920
http://crash-stats.mozilla.com/report/index/bp-f5c88986-747d-43b7-b64d-1f1032110920
OS: Windows 7 → All
On Linux build
bp-60f98c91-aed7-48cb-b540-c12c22110920

http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (X11; Linux i686; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905
Attached patch patchSplinter Review
Regression from bug 686000.  After returning from a stub call we check the result type against observed types while still in jitcode, but could clobber a live register while doing so --- the FrameState keeps callee-save registers live across inline stub calls.
Attachment #561275 - Flags: review?(dvander)
Attachment #561275 - Flags: review?(dvander) → review+
Summary: crash mozjs → crash [@ mozjs.dll]
Also landed straight to m-c to make sure this ends up in tomorrow's nightly.

https://hg.mozilla.org/mozilla-central/rev/2d29d3a3b314
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: inbound
Using today's Nightly nightly, it appears that the patch has fixed things. Thanks, Brian.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: