Closed Bug 790464 Opened 12 years ago Closed 12 years ago

IonMonkey: crash @ JSRope::flattenInternal

Categories

(Core :: JavaScript Engine, defect)

18 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 779411

People

(Reporter: ferongr, Assigned: jandem)

References

()

Details

(4 keywords, Whiteboard: [ion:p1:fx18])

Crash Data

Attachments

(1 file)

Using a 32bit Nightly hourly after Ion landed. Cset: fdfaef738a00

Go to the pdf.js web demo (see URL field) and start zooming in and out of the example PDF using the reader's toolbar buttons. After some 10-20 zoom changes the browser crashes. Example crash IDs follow.

bp-d34e08ee-4f07-4235-bf6b-191712120911
bp-fe76d5e6-9b4e-4151-adb2-a464c2120911
bp-3f59cb80-66e6-4779-87e6-f09b12120911
bp-ece93ac7-2b35-4ae1-a1e9-3bac12120911
bp-12a2ada1-cacb-4698-8711-c9c5c2120911
Blocks: IonMonkey
No longer blocks: IonMonkey
Summary: Crash @ mozjs.dll@0xf571f → IonMonkey: Crash @ mozjs.dll@0xf571f
Whiteboard: [ion:p1:fx18]
Tried against http://hg.mozilla.org/projects/ionmonkey/rev/01f6ddbb6542

bp-e557e340-edf3-40cc-b207-a80722120912

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JSRope::flattenInternal<1> 	js/src/vm/String.cpp:241
1 	mozjs.dll 	JS_GetStringCharsZAndLength 	js/src/jsapi.cpp:6192
2 	xul.dll 	mozilla::dom::ConvertJSValueToString 	obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1005
3 	xul.dll 	mozilla::dom::CanvasRenderingContext2DBinding::set_font 	obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2135
4 		@0x69eb296
It's currently #1 top crasher in today's nightly. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=96287ad60bef&tochange=fdfaef738a00

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSRope%3A%3AflattenInternal%3Cint%3E%28JSContext*%29
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)]
Ever confirmed: true
Hardware: x86_64 → x86
Summary: IonMonkey: Crash @ mozjs.dll@0xf571f → IonMonkey: crash @ JSRope::flattenInternal
Version: Trunk → 18 Branch
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)] → [@ JSRope::flattenInternal<int>(JSContext*)] [@ JSRope::flattenInternal<(JSRope::UsingBarrier)1u>]
OS: Windows 7 → All
Note that this is being mentioned in bug 790663, possibly a way to repro this crash.
I get this in the profiler addon as well.
There are about 400 crashes per build.
Changing the URL has this one is an immediate crash.
I can reproduce this, it's a regalloc problem with LSetDomProperty. JSRope::flattenInternal is just one of the many places this will crash, so fixing it should hopefully also get rid of some other new topcrashes.

With bug 779411 this would have asserted immediately, will rebase and land that ASAP.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Depends on: 779411
http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/ work fine for me with today's Nightly. Resolving duplicate of the bug that fixed them.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
(In reply to Sean Stangl from comment #10)
> http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/
> work fine for me with today's Nightly. Resolving duplicate of the bug that
> fixed them.
> 
> *** This bug has been marked as a duplicate of bug 779411 ***

Today's nightly doesn't even include that.  Are you sure you were using a nightly build and not an hourly?
Hm, you're right that the nightly doesn't include that. I am using a nightly build, and as of today it no longer reproduces for me. I'll leave open for someone else to confirm tomorrow.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
I'm trying the latest Nightly and it doesn't crash anymore with the links posted previously. So I guess it's fixed.
(In reply to Loic from comment #13)
> I'm trying the latest Nightly and it doesn't crash anymore with the links
> posted previously. So I guess it's fixed.

Thanks!
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → DUPLICATE
I'm still crashing on http://www.syngames.net/game/braidjump on the latest nightly.
No longer depends on: 779411
Whoops, I thought bug 791589 was a dupe of this - sorry.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: