Closed
Bug 717336
Opened 13 years ago
Closed 13 years ago
Crash in javascript engine on fennec
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 717441
People
(Reporter: kats, Unassigned)
Details
(Keywords: crash, regression, Whiteboard: [native-crash])
I built Fennec Native on a Linux machine using m-c changeset c42d08fdec34, and loaded it on a Galaxy Tab 10.1 (running Honeycomb). It starts up, but while loading one of the first few pages, it will crash. I was able to attach gdb and get a stack trace, shown below. It's crashed on about:about, random google searches, and on pages linked from google search results, so I don't think it's specific to a particular page. I think the one below was from a google search result link.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 9789]
arena_dalloc (ptr=0x2edd10, offset=974096) at /home/kats/zspace/mozilla-git/memory/jemalloc/jemalloc.c:4617
4617 assert(arena->magic == ARENA_MAGIC);
(gdb) bt
#0 arena_dalloc (ptr=0x2edd10, offset=974096) at /home/kats/zspace/mozilla-git/memory/jemalloc/jemalloc.c:4617
#1 0x80b0a6d6 in __wrap_free (ptr=0x2edd10) at /home/kats/zspace/mozilla-git/memory/jemalloc/jemalloc.c:6580
#2 0x80c00b8c in moz_free (ptr=0x2edd10) at /home/kats/zspace/mozilla-git/memory/mozalloc/mozalloc.cpp:97
#3 0x842a8cca in operator delete (ptr=0x2edd10) at ../../../dist/include/mozilla/mozalloc.h:246
#4 0x8538e2ca in deleteAllSegments (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/assembler/wtf/SegmentedVector.h:207
#5 ~SegmentedVector (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/assembler/wtf/SegmentedVector.h:119
#6 ~ARMAssembler (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/assembler/assembler/ARMAssembler.h:140
#7 ~AbstractMacroAssembler (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>)
at /home/kats/zspace/mozilla-git/js/src/assembler/assembler/AbstractMacroAssembler.h:46
#8 ~MacroAssemblerARM (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/assembler/assembler/MacroAssemblerARM.h:44
#9 ~MacroAssembler (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/assembler/assembler/MacroAssembler.h:68
#10 ~YarrGenerator (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/yarr/YarrJIT.cpp:41
#11 JSC::Yarr::jitCompile (pattern=<value optimized out>, globalData=<value optimized out>, jitObject=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/yarr/YarrJIT.cpp:2463
#12 0x852c732e in js::detail::RegExpPrivateCode::compile(JSContext*, JSLinearString&, js::TokenStream*, unsigned int*, js::RegExpFlag) () from libxul.so
#13 0x852c0d86 in compile (cx=0x608361d0, source=0x61063470, flags=js::NoFlags, tokenStream=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/vm/RegExpObject-inl.h:444
#14 js::detail::RegExpPrivate::createUncached (cx=0x608361d0, source=0x61063470, flags=js::NoFlags, tokenStream=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/vm/RegExpObject.cpp:508
#15 0x852c19e4 in create (this=0x60f3f100, cx=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/vm/RegExpObject-inl.h:360
#16 js::RegExpObject::makePrivate (this=0x60f3f100, cx=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/vm/RegExpObject.cpp:263
#17 0x852c481a in getOrCreatePrivate (this=0x5c72cc40, other=0x60f3f100, proto=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/vm/RegExpObject.h:179
#18 js::RegExpObjectBuilder::clone (this=0x5c72cc40, other=0x60f3f100, proto=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/vm/RegExpObject.cpp:178
#19 0x852c4f5c in js_CloneRegExpObject (cx=0x608361d0, obj=0x60f3f100, proto=0x60f3f010) at /home/kats/zspace/mozilla-git/js/src/vm/RegExpObject.cpp:568
#20 0x8517b408 in js::Interpret (cx=0x608361d0, entryFrame=<value optimized out>, interpMode=<value optimized out>) at /home/kats/zspace/mozilla-git/js/src/jsinterp.cpp:3191
#21 0x8518673e in js::RunScript (cx=0x608361d0, script=0x60f5c8e0, fp=0x60aaf020) at /home/kats/zspace/mozilla-git/js/src/jsinterp.cpp:475
#22 0x85186c86 in ExecuteKernel (cx=0x608361d0, script=0x60f5c8e0, scopeChainArg=<value optimized out>, rval=0x0) at /home/kats/zspace/mozilla-git/js/src/jsinterp.cpp:711
#23 js::Execute (cx=0x608361d0, script=0x60f5c8e0, scopeChainArg=<value optimized out>, rval=0x0) at /home/kats/zspace/mozilla-git/js/src/jsinterp.cpp:752
#24 0x850c71aa in EvaluateUCScriptForPrincipalsCommon (cx=0x608361d0, obj=0x60f2f040, principals=<value optimized out>, originPrincipals=0x6267e3d4, chars=0x6985c008, length=72174,
filename=0x626adc98 "https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js", lineno=1, rval=0x0, compileVersion=JSVERSION_DEFAULT) at /home/kats/zspace/mozilla-git/js/src/jsapi.cpp:5345
#25 0x850d86bc in JS_EvaluateUCScriptForPrincipalsVersionOrigin (cx=0x608361d0, obj=0x60f2f040, principals=0x6088fdd4, originPrincipals=0x6267e3d4, chars=0x6985c008, length=72174,
filename=0x626adc98 "https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js", lineno=1, rval=0x0, version=JSVERSION_DEFAULT) at /home/kats/zspace/mozilla-git/js/src/jsapi.cpp:5382
#26 0x847cb09e in nsJSContext::EvaluateString (this=0x63583080, aScript=<value optimized out>, aScopeObject=0x60f2f040, aPrincipal=<value optimized out>, aOriginPrincipal=0x6267e3d0,
aURL=0x626adc98 "https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js", aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0x5c72d277)
at /home/kats/zspace/mozilla-git/dom/base/nsJSEnvironment.cpp:1496
#27 0x8461f0f0 in nsScriptLoader::EvaluateScript (this=<value optimized out>, aRequest=<value optimized out>, aScript=<value optimized out>)
at /home/kats/zspace/mozilla-git/content/base/src/nsScriptLoader.cpp:902
#28 0x8461f462 in nsScriptLoader::ProcessRequest (this=0x63618d00, aRequest=0x6360a3a0) at /home/kats/zspace/mozilla-git/content/base/src/nsScriptLoader.cpp:795
#29 0x84621af6 in nsScriptLoader::ProcessPendingRequests (this=0x63618d00) at /home/kats/zspace/mozilla-git/content/base/src/nsScriptLoader.cpp:945
#30 0x84621d8e in nsScriptLoader::OnStreamComplete (this=0x63618d00, aLoader=0x628ddd00, aContext=<value optimized out>, aStatus=<value optimized out>, aStringLen=72174,
aString=0x636b5000 "/*!\n * jQuery JavaScript Library v1.4.2\n * http://jquery.com/\n *\n * Copyright 2010, John Resig\n * Dual licensed under the MIT or GPL Version 2 licenses.\n * http://jquery.org/license\n *\n * Includes Siz"...) at /home/kats/zspace/mozilla-git/content/base/src/nsScriptLoader.cpp:1179
#31 0x842a3ecc in nsStreamLoader::OnStopRequest (this=0x628ddd00, request=<value optimized out>, ctxt=<value optimized out>, aStatus=0) at /home/kats/zspace/mozilla-git/netwerk/base/src/nsStreamLoader.cpp:125
#32 0x842b8e38 in nsHTTPCompressConv::OnStopRequest (this=<value optimized out>, request=0xedd10, aContext=0xe, aStatus=0)
at /home/kats/zspace/mozilla-git/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
#33 0x842a388c in nsStreamListenerTee::OnStopRequest (this=0x655fd5e0, request=0x65550034, context=0x6360a3a0, status=0) at /home/kats/zspace/mozilla-git/netwerk/base/src/nsStreamListenerTee.cpp:71
#34 0x843121fa in nsHttpChannel::OnStopRequest (this=0x65550000, request=<value optimized out>, ctxt=<value optimized out>, status=0)
at /home/kats/zspace/mozilla-git/netwerk/protocol/http/nsHttpChannel.cpp:4341
#35 0x8428779e in nsInputStreamPump::OnStateStop (this=0x628aeb80) at /home/kats/zspace/mozilla-git/netwerk/base/src/nsInputStreamPump.cpp:580
#36 0x8428789a in nsInputStreamPump::OnInputStreamReady (this=0x628aeb80, stream=0xedd10) at /home/kats/zspace/mozilla-git/netwerk/base/src/nsInputStreamPump.cpp:405
#37 0x84e796e4 in nsInputStreamReadyEvent::Run() () from libxul.so
#38 0x84e89342 in nsThread::ProcessNextEvent (this=0x5dd24100, mayWait=<value optimized out>, result=<value optimized out>) at /home/kats/zspace/mozilla-git/xpcom/threads/nsThread.cpp:660
#39 0x84e501c8 in NS_ProcessNextEvent_P (thread=0x2edd10, mayWait=false) at /home/kats/zspace/mozilla-git/obj-android/xpcom/build/nsThreadUtils.cpp:245
#40 0x84d97f5a in mozilla::ipc::MessagePump::Run (this=0x5dd0f250, aDelegate=0x5dd370e0) at /home/kats/zspace/mozilla-git/ipc/glue/MessagePump.cpp:110
#41 0x84ebdd26 in MessageLoop::RunInternal (this=0x5dd370e0) at /home/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:208
#42 0x84ebdd86 in RunHandler (this=0x5dd370e0) at /home/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:201
#43 MessageLoop::Run (this=0x5dd370e0) at /home/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:175
#44 0x84ce24aa in nsBaseAppShell::Run (this=0x5dd7f340) at /home/kats/zspace/mozilla-git/widget/xpwidgets/nsBaseAppShell.cpp:189
#45 0x84b93af2 in nsAppStartup::Run (this=0x5ddcc130) at /home/kats/zspace/mozilla-git/toolkit/components/startup/nsAppStartup.cpp:220
#46 0x8426f288 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at /home/kats/zspace/mozilla-git/toolkit/xre/nsAppRunner.cpp:3537
---Type <return> to continue, or q <return> to quit---
#47 0x84275238 in GeckoStart (jenv=<value optimized out>, jc=<value optimized out>, jargs=<value optimized out>) at /home/kats/zspace/mozilla-git/toolkit/xre/nsAndroidStartup.cpp:103
#48 Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=<value optimized out>, jc=<value optimized out>, jargs=<value optimized out>) at /home/kats/zspace/mozilla-git/toolkit/xre/nsAndroidStartup.cpp:132
#49 0x80b15368 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x2edd10, jc=0xedd10, one=0xe) at /home/kats/zspace/mozilla-git/mozglue/android/APKOpen.cpp:286
#50 0xaca11d38 in dvmPlatformInvoke () from libdvm.so
#51 0xaca41246 in dvmCallJNIMethod_general () from libdvm.so
#52 0xaca41246 in dvmCallJNIMethod_general () from libdvm.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
Reporter | |
Comment 1•13 years ago
|
||
Building Fennec on Mac OS X also crashes similarly, although I don't have gdb working there so I can't confirm it's the same crash.
|
|
Reporter | |
Comment 2•13 years ago
|
||
Rebuilt on Linux using d85920b5691b and the crashes are still happening, but now gdb doesn't give me anything useful: 0xaff15c2c in ?? () from libc.so is frame 0, the next couple are for _fwalk () in libc.so.
|
|
Reporter | |
Comment 3•13 years ago
|
||
All of these builds also crash on a Motorola Droid Pro running Android 2.2.
|
|
Reporter | |
Comment 4•13 years ago
|
||
Also, to provide a better regression range, building m-c as of changeset 011e3cef6068 works fine. So something between 011e3cef6068 and c42d08fdec34 introduced this problem.
Keywords: regression
|
||
Updated•13 years ago
|
|
|
Reporter | |
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Comment 6•13 years ago
|
||
I have an updated range:
e79ef0ffcb09 is good
2f310f456107 is bad
|
||
Updated•11 years ago
|
tracking-fennec: ? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•