Closed
Bug 688165
Opened 14 years ago
Closed 14 years ago
google plus abort js/src/jsinfer.cpp:341
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 685186
People
(Reporter: mcmanus, Unassigned)
References
Details
(Whiteboard: js-triage-needed)
Attachments
(1 file)
|
658.88 KB,
text/plain
|
Details |
I started seeing this crash on trunk about 10 days ago, but I just figured out how to repro it today.
(gdb) bt
#0 0x00007ffff7bcdb3b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1 0x00007ffff5836bb2 in CrashInJS () at ../../../websockets/js/src/jsutil.cpp:95
#2 0x00007ffff5836c0a in JS_Assert (s=0x7fffffff1430 "[infer failure] Missing type for arg 1: [0x7fffcf235380]", file=0x7ffff5f4a938 "../../../websockets/js/src/jsinfer.cpp", ln=341)
at ../../../websockets/js/src/jsutil.cpp:103
#3 0x00007ffff570fc60 in js::types::TypeFailure (cx=0x7fffd5ceac00, fmt=0x7ffff5ff1a42 "Missing type for arg %d: %s") at ../../../websockets/js/src/jsinfer.cpp:341
#4 0x00007ffff5a31980 in js::mjit::stubs::AssertArgumentTypes (f=...) at ../../../websockets/js/src/methodjit/StubCalls.cpp:2458
#5 0x00007fffded4107f in ?? ()
#6 0x00007fffded44c7d in ?? ()
#7 0x0000000000000001 in ?? ()
#8 0x0000000000000000 in ?? ()
repro: using a debug nightly, go to https://plus.google.com/108176814619778619437/posts/4Q8zan6JM2o
log into a google account (it requires this)
let the whole page load (this can take a while)
reload
boom.
I've confirmed with a fresh profile.
There is gobs of debug info printed just before the crash along the lines of:
JavaScript strict warning: file:///home/mcmanus/src/mozilla2/wd/obj-debug-ws/dist/bin/components/nsSessionStore.js, line 4365: reference to undefined property aBrowser.__SS_restoreState
Function #4661 https://ssl.gstatic.com/gb/js/gcm_b83996bbc33bcd01855a9e817615014a.js (line 34):
locals:
return: void
this: object
arg0: object
I'll include the whole set as an attachment.
|
||
Updated•14 years ago
|
Whiteboard: js-triage-needed
|
||
Comment 1•14 years ago
|
||
Pretty sure this is the same as bug 685186, which is also on Google Plus and fails in the same way. I looked at this crash with dbaron last week. This failure happens when a DEBUG-only jitcode assertion catches that the inferred types for a function's arguments are incorrect. What is going on at this callsite is that a dense array element is passed as the argument, and the types for that element are not correct. I'm not sure if the bad assignment is happening in jitcode or in the VM. I put together a patch to beef up DEBUG jitcode assertions to catch the former case, but haven't landed that yet.
Depends on: 685186
|
Reporter | |
Comment 2•14 years ago
|
||
This still plagues me - and I think it has been uplifted to aurora. Comment 0 reproduces it (at least for me).
status-firefox9:
--- → affected
tracking-firefox9:
--- → ?
|
||
Comment 3•14 years ago
|
||
Patrick, seems bug 685186 landed on aurora (9), are you still seeing this anywhere?
|
|
Reporter | |
Comment 4•14 years ago
|
||
this is fixed for me - thanks
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•14 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•