IonMonkey: crash @ JSRope::flattenInternal

RESOLVED DUPLICATE of bug 779411

Status

()

--
critical
RESOLVED DUPLICATE of bug 779411
6 years ago
6 years ago

People

(Reporter: ferongr, Assigned: jandem)

Tracking

(4 keywords)

18 Branch
x86
All
crash, regression, reproducible, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ion:p1:fx18], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Using a 32bit Nightly hourly after Ion landed. Cset: fdfaef738a00

Go to the pdf.js web demo (see URL field) and start zooming in and out of the example PDF using the reader's toolbar buttons. After some 10-20 zoom changes the browser crashes. Example crash IDs follow.

bp-d34e08ee-4f07-4235-bf6b-191712120911
bp-fe76d5e6-9b4e-4151-adb2-a464c2120911
bp-3f59cb80-66e6-4779-87e6-f09b12120911
bp-ece93ac7-2b35-4ae1-a1e9-3bac12120911
bp-12a2ada1-cacb-4698-8711-c9c5c2120911
(Reporter)

Updated

6 years ago
Blocks: 650180
No longer blocks: 650180
Summary: Crash @ mozjs.dll@0xf571f → IonMonkey: Crash @ mozjs.dll@0xf571f
Whiteboard: [ion:p1:fx18]
Tried against http://hg.mozilla.org/projects/ionmonkey/rev/01f6ddbb6542

bp-e557e340-edf3-40cc-b207-a80722120912

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JSRope::flattenInternal<1> 	js/src/vm/String.cpp:241
1 	mozjs.dll 	JS_GetStringCharsZAndLength 	js/src/jsapi.cpp:6192
2 	xul.dll 	mozilla::dom::ConvertJSValueToString 	obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1005
3 	xul.dll 	mozilla::dom::CanvasRenderingContext2DBinding::set_font 	obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2135
4 		@0x69eb296

Comment 2

6 years ago
It's currently #1 top crasher in today's nightly. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=96287ad60bef&tochange=fdfaef738a00

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSRope%3A%3AflattenInternal%3Cint%3E%28JSContext*%29
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)]
Ever confirmed: true
Keywords: crash, regression, reproducible, topcrash
Hardware: x86_64 → x86
Summary: IonMonkey: Crash @ mozjs.dll@0xf571f → IonMonkey: crash @ JSRope::flattenInternal
Version: Trunk → 18 Branch

Updated

6 years ago
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)] → [@ JSRope::flattenInternal<int>(JSContext*)] [@ JSRope::flattenInternal<(JSRope::UsingBarrier)1u>]
tracking-firefox18: --- → ?
OS: Windows 7 → All

Comment 3

6 years ago
Note that this is being mentioned in bug 790663, possibly a way to repro this crash.
I get this in the profiler addon as well.
tracking-firefox18: ? → +

Comment 6

6 years ago
There are about 400 crashes per build.

Comment 8

6 years ago
Changing the URL has this one is an immediate crash.
(Assignee)

Comment 9

6 years ago
I can reproduce this, it's a regalloc problem with LSetDomProperty. JSRope::flattenInternal is just one of the many places this will crash, so fixing it should hopefully also get rid of some other new topcrashes.

With bug 779411 this would have asserted immediately, will rebase and land that ASAP.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Depends on: 779411
http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/ work fine for me with today's Nightly. Resolving duplicate of the bug that fixed them.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 779411

Comment 11

6 years ago
(In reply to Sean Stangl from comment #10)
> http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/
> work fine for me with today's Nightly. Resolving duplicate of the bug that
> fixed them.
> 
> *** This bug has been marked as a duplicate of bug 779411 ***

Today's nightly doesn't even include that.  Are you sure you were using a nightly build and not an hourly?
Hm, you're right that the nightly doesn't include that. I am using a nightly build, and as of today it no longer reproduces for me. I'll leave open for someone else to confirm tomorrow.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

Comment 13

6 years ago
I'm trying the latest Nightly and it doesn't crash anymore with the links posted previously. So I guess it's fixed.
(In reply to Loic from comment #13)
> I'm trying the latest Nightly and it doesn't crash anymore with the links
> posted previously. So I guess it's fixed.

Thanks!
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 779411
I'm still crashing on http://www.syngames.net/game/braidjump on the latest nightly.

Updated

6 years ago
No longer depends on: 779411
Whoops, I thought bug 791589 was a dupe of this - sorry.

Updated

6 years ago
tracking-firefox18: + → ---
You need to log in before you can comment on or make changes to this bug.