Last Comment Bug 687856 - crash [@ mozjs.dll]
: crash [@ mozjs.dll]
Status: RESOLVED FIXED
: crash, regression
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 All
: -- critical with 1 vote (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
http://maps.google.com/
: 688971 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-20 08:30 PDT by Alice0775 White
Modified: 2011-10-09 18:37 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.66 KB, patch)
2011-09-20 13:10 PDT, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description Alice0775 White 2011-09-20 08:30:01 PDT
This bug was filed from the Socorro interface and is 
report bp-08df7520-37e4-45cd-96c8-a52c72110920 .
============================================================= 

Build Identifier:
http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905

Browser crashes when zoom-in Google Maps


Reproducible: Always

Steps to Reproduce:
1. Open Firefox with clean profile
2. Open http://maps.google.com/
3. Zoom in maps by mouse wheel or slider


Actual Results:
  Browser crashes
  
Expected Results:
  Browser should not crash


Regression window(m-c)
Works:
http://hg.mozilla.org/mozilla-central/rev/ea2f892d9439
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1 ID:20110919123348
Crashes:
http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ea2f892d9439&tochange=648d084ca28e
Comment 1 Jim Jeffery not reading bug-mail 1/2/11 2011-09-20 08:45:54 PDT
Using build based on hourly m-c win32:
https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9

I saw no crashes after playing with google-maps quite a bit trying to make it crash.
Comment 2 WildcatRay 2011-09-20 08:47:38 PDT
Would mozjs.dll@0x13d9a be considered a different signature?

From crash report https://crash-stats.mozilla.com/report/index/bp-6edcf16c-7c5c-41dd-87d3-5b6242110920
Comment 3 Alice0775 White 2011-09-20 08:51:57 PDT
(In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #1)
> Using build based on hourly m-c win32:
> https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> 
> I saw no crashes after playing with google-maps quite a bit trying to make
> it crash.
using latest m-c hourly
http://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1 ID:20110919225448

It also crashes
bp-b1af37ee-5f92-4d1f-b135-419582110920
Comment 4 Jim Jeffery not reading bug-mail 1/2/11 2011-09-20 08:55:11 PDT
(In reply to Alice0775 White from comment #3)
> (In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #1)
> > Using build based on hourly m-c win32:
> > https://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> > 
> > I saw no crashes after playing with google-maps quite a bit trying to make
> > it crash.
> using latest m-c hourly
> http://hg.mozilla.org/mozilla-central/rev/a89ac13dbeb9
> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0a1) Gecko/20110919 Firefox/9.0a1
> ID:20110919225448
> 
> It also crashes
> bp-b1af37ee-5f92-4d1f-b135-419582110920

Indeed, I just re-tested.  seems to crash about the 3rd click on the + arrow to zoom in the map.
Comment 5 WildcatRay 2011-09-20 08:59:08 PDT
(In reply to Ray Murphy (WildcatRay) from comment #2)
> Would mozjs.dll@0x13d9a be considered a different signature?
> 
> From crash report
> https://crash-stats.mozilla.com/report/index/bp-6edcf16c-7c5c-41dd-87d3-
> 5b6242110920

On this crash, I used the mouse wheel to zoom in one click. Then, after a momentary pause, I zoomed out one click. Shortly thereafter, the browser crashed.
Comment 6 Brian Hackett (:bhackett) 2011-09-20 08:59:26 PDT
On Mac I can't get this to reproduce at all, but it does on Windows.  It may only manifest on x86.  Building a windows tree...
Comment 7 B.J. Herbison 2011-09-20 09:00:50 PDT
I see the crash on a clean profile with Windows XP on today's nightly. It seems to happen after three or four middle-mouse zooms. I was not able to cause a crash in safe mode (two attempts of about two minutes of constant scrolling each time).

http://crash-stats.mozilla.com/report/index/bp-c31e5a5b-22be-464d-adff-3cf172110920
http://crash-stats.mozilla.com/report/index/bp-5a854cc6-a9a2-43b9-9204-e380c2110920
http://crash-stats.mozilla.com/report/index/bp-f5c88986-747d-43b7-b64d-1f1032110920
Comment 8 Alice0775 White 2011-09-20 09:03:43 PDT
On Linux build
bp-60f98c91-aed7-48cb-b540-c12c22110920

http://hg.mozilla.org/mozilla-central/rev/648d084ca28e
Mozilla/5.0 (X11; Linux i686; rv:9.0a1) Gecko/20110920 Firefox/9.0a1 ID:20110920030905
Comment 9 Brian Hackett (:bhackett) 2011-09-20 13:10:44 PDT
Created attachment 561275 [details] [diff] [review]
patch

Regression from bug 686000.  After returning from a stub call we check the result type against observed types while still in jitcode, but could clobber a live register while doing so --- the FrameState keeps callee-save registers live across inline stub calls.
Comment 10 Brian Hackett (:bhackett) 2011-09-20 13:33:47 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/397abdbd54a8
Comment 11 Brian Hackett (:bhackett) 2011-09-20 20:16:07 PDT
Also landed straight to m-c to make sure this ends up in tomorrow's nightly.

https://hg.mozilla.org/mozilla-central/rev/2d29d3a3b314
Comment 12 WildcatRay 2011-09-21 06:30:40 PDT
Using today's Nightly nightly, it appears that the patch has fixed things. Thanks, Brian.
Comment 13 Brian Hackett (:bhackett) 2011-09-24 18:49:29 PDT
*** Bug 688971 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.