Crash [@ js::mjit::EnterMethodJIT() ]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
6 years ago
6 years ago

People

(Reporter: bc, Unassigned)

Tracking

(Blocks: 1 bug, {crash})

Trunk
x86
Windows XP
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

6 years ago
Steps to reproduce:

export MOZ_NO_REMOTE=1
export NO_EM_RESTART=1
export XPCOM_DEBUG_BREAK=warn
export MOZ_CRASHREPORTER_NO_REPORT=1
export MOZ_CRASHREPORTER_DISABLE=1


Install http://bclary.com/projects/spider/spider/spider.xpi in a debug build.

firefox -spider -url 'http://es.wikia.com/' -depth 1 -start -quit > test.log 2>&1

Attach a debugger to the Firefox process and have a coffee.

You can find the crashing url in the log by finding the last Begin loading line.

I've bad the best luck reproducing on XP so far.

There have been several js::mjit::EnterMethodJIT crashes in automation on Beta/10 Windows XP and Windows 7.

http://pl.wikia.com/wiki/Wikia_Polska
http://es.wikia.com/wiki/Wikia
http://www.wikia.com/Special:CreateWiki?uselang=es
http://www.wikia.com/Special:CreateWiki?uselang=ru

Unfortunately I haven't been able to reproduce these manually locally.

Automation also found related crashes using Aurora/11, Nightly/12 on Windows 7 and Nightly/12 on Linux at http://www.wikia.com/Special:CreateWiki?uselang=es

I attempted to reproduce locally by spidering and hit a related crash at  http://es.gta.wikia.com/wiki/ on Windows XP with Beta/10.

        JSAutoResolveFlags rf(cx, RESOLVE_INFER);
=>        ok = JaegerTrampoline(cx, fp, code, stackLimit);
    }

 	08b23bff()	
>	mozjs.dll!js::mjit::EnterMethodJIT(JSContext * cx=0x09c35308, js::StackFrame * fp=0x04f90080, void * code=0x08b23b84, JS::Value * stackLimit=0x04fb0000, bool partial=true)  Line 1064 + 0x15 bytes	C++
 	mozjs.dll!CheckStackAndEnterMethodJIT(JSContext * cx=0x09c35308, js::StackFrame * fp=0x04f90080, void * code=0x08b23b84, bool partial=true)  Line 1125 + 0x19 bytes	C++
 	mozjs.dll!js::mjit::JaegerShot(JSContext * cx=0x09c35308, bool partial=true)  Line 1142 + 0x1d bytes	C++

though it is not directly reproducible. :-(

Some of the 'pseudo-stack/signatures' associated with these crashes are:

Nightly/Linux:
js::mjit::EnterMethodJIT js::StackSpace::firstUnused js::StackSpace::getStackLimit CheckStackAndEnterMethodJIT js::mjit::JaegerShot

Nightly/Windows 7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) JS::Value::isObject()

Nightly/Windows 7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) js::ContextStack::getCallFrame(JSContext*, js::MaybeReportError, js::CallArgs const&, JSFunction*, JSScript*, unsigned int*) CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)

Aurora/Windows 7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) js::ContextStack::getCallFrame(JSContext*, js::MaybeReportError, js::CallArgs const&, JSFunction*, JSScript*, unsigned int*) CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)

Beta/Windows XP|7
js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) js::StackSpace::firstUnused() CheckStackAndEnterMethodJIT js::mjit::JaegerShot(JSContext*, bool) js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)
(Reporter)

Comment 1

6 years ago
Automation could no longer reproduce on Beta/11, Aurora/12, Nightly/13 -> WFM
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.