Closed Bug 790464 Opened 8 years ago Closed 8 years ago
Monkey: crash @ JSRope::flatten Internal
Using a 32bit Nightly hourly after Ion landed. Cset: fdfaef738a00 Go to the pdf.js web demo (see URL field) and start zooming in and out of the example PDF using the reader's toolbar buttons. After some 10-20 zoom changes the browser crashes. Example crash IDs follow. bp-d34e08ee-4f07-4235-bf6b-191712120911 bp-fe76d5e6-9b4e-4151-adb2-a464c2120911 bp-3f59cb80-66e6-4779-87e6-f09b12120911 bp-ece93ac7-2b35-4ae1-a1e9-3bac12120911 bp-12a2ada1-cacb-4698-8711-c9c5c2120911
No longer blocks: IonMonkey
Summary: Crash @ mozjs.dll@0xf571f → IonMonkey: Crash @ mozjs.dll@0xf571f
Tried against http://hg.mozilla.org/projects/ionmonkey/rev/01f6ddbb6542 bp-e557e340-edf3-40cc-b207-a80722120912 Frame Module Signature Source 0 mozjs.dll JSRope::flattenInternal<1> js/src/vm/String.cpp:241 1 mozjs.dll JS_GetStringCharsZAndLength js/src/jsapi.cpp:6192 2 xul.dll mozilla::dom::ConvertJSValueToString obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1005 3 xul.dll mozilla::dom::CanvasRenderingContext2DBinding::set_font obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2135 4 @0x69eb296
It's currently #1 top crasher in today's nightly. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=96287ad60bef&tochange=fdfaef738a00 More reports at: https://crash-stats.mozilla.com/report/list?signature=JSRope%3A%3AflattenInternal%3Cint%3E%28JSContext*%29
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)]
Ever confirmed: true
Hardware: x86_64 → x86
Summary: IonMonkey: Crash @ mozjs.dll@0xf571f → IonMonkey: crash @ JSRope::flattenInternal
Version: Trunk → 18 Branch
Note that this is being mentioned in bug 790663, possibly a way to repro this crash.
Easier way to reproduce. 1. Go to http://html5puzzle.appspot.com/ 2. Click Play. 3. Wait a few seconds. bp-9896c159-57e9-4987-9645-9e4e32120912 bp-a0805bca-95ae-4824-968c-ab5402120912 bp-fb70d73d-7238-4400-a3be-e0fa22120912 bp-2b9668e2-fa0c-40e1-a466-590442120912 bp-5037ac3d-7734-4cbd-9fdc-7726c2120912 bp-9bd3ef68-dc11-4a00-bf7c-a3c6e2120912
I get this in the profiler addon as well.
There are about 400 crashes per build.
http://seb.ly/demos/MMOsteroids.html causes Nightly to crash. https://crash-stats.mozilla.com/report/index/bp-ad8cf2a6-2173-4333-96b9-bc1232120917 https://crash-stats.mozilla.com/report/index/bp-675f4733-65e6-45bf-bfe6-39c9d2120917 Probably not necessary at this point, but I'm attaching a windbg log anyways.
Changing the URL has this one is an immediate crash.
I can reproduce this, it's a regalloc problem with LSetDomProperty. JSRope::flattenInternal is just one of the many places this will crash, so fixing it should hopefully also get rid of some other new topcrashes. With bug 779411 this would have asserted immediately, will rebase and land that ASAP.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Depends on: 779411
http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/ work fine for me with today's Nightly. Resolving duplicate of the bug that fixed them.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
(In reply to Sean Stangl from comment #10) > http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/ > work fine for me with today's Nightly. Resolving duplicate of the bug that > fixed them. > > *** This bug has been marked as a duplicate of bug 779411 *** Today's nightly doesn't even include that. Are you sure you were using a nightly build and not an hourly?
Hm, you're right that the nightly doesn't include that. I am using a nightly build, and as of today it no longer reproduces for me. I'll leave open for someone else to confirm tomorrow.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
I'm trying the latest Nightly and it doesn't crash anymore with the links posted previously. So I guess it's fixed.
(In reply to Loic from comment #13) > I'm trying the latest Nightly and it doesn't crash anymore with the links > posted previously. So I guess it's fixed. Thanks!
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → DUPLICATE
I'm still crashing on http://www.syngames.net/game/braidjump on the latest nightly.
(In reply to Ben Hearsum [:bhearsum] from comment #15) > I'm still crashing on http://www.syngames.net/game/braidjump on the latest > nightly. There are no crashes with this crash signature on the latest Nightly: https://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A18.0a1&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=JSRope%3A%3AflattenInternal&reason=&build_id=20120919030602&process_type=any&hang_type=any&do_query=1
Whoops, I thought bug 791589 was a dupe of this - sorry.
You need to log in before you can comment on or make changes to this bug.