Closed
Bug 790464
Opened 13 years ago
Closed 13 years ago
IonMonkey: crash @ JSRope::flattenInternal
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 779411
People
(Reporter: ferongr, Assigned: jandem)
References
()
Details
(4 keywords, Whiteboard: [ion:p1:fx18])
Crash Data
Attachments
(1 file)
|
1.09 MB,
text/plain
|
Details |
Using a 32bit Nightly hourly after Ion landed. Cset: fdfaef738a00
Go to the pdf.js web demo (see URL field) and start zooming in and out of the example PDF using the reader's toolbar buttons. After some 10-20 zoom changes the browser crashes. Example crash IDs follow.
bp-d34e08ee-4f07-4235-bf6b-191712120911
bp-fe76d5e6-9b4e-4151-adb2-a464c2120911
bp-3f59cb80-66e6-4779-87e6-f09b12120911
bp-ece93ac7-2b35-4ae1-a1e9-3bac12120911
bp-12a2ada1-cacb-4698-8711-c9c5c2120911
|
||
Updated•13 years ago
|
No longer blocks: IonMonkey
Summary: Crash @ mozjs.dll@0xf571f → IonMonkey: Crash @ mozjs.dll@0xf571f
Whiteboard: [ion:p1:fx18]
|
|
||
Comment 1•13 years ago
|
||
Tried against http://hg.mozilla.org/projects/ionmonkey/rev/01f6ddbb6542
bp-e557e340-edf3-40cc-b207-a80722120912
Frame Module Signature Source
0 mozjs.dll JSRope::flattenInternal<1> js/src/vm/String.cpp:241
1 mozjs.dll JS_GetStringCharsZAndLength js/src/jsapi.cpp:6192
2 xul.dll mozilla::dom::ConvertJSValueToString obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1005
3 xul.dll mozilla::dom::CanvasRenderingContext2DBinding::set_font obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2135
4 @0x69eb296
|
||
Comment 2•13 years ago
|
||
It's currently #1 top crasher in today's nightly. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=96287ad60bef&tochange=fdfaef738a00
More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSRope%3A%3AflattenInternal%3Cint%3E%28JSContext*%29
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)]
Ever confirmed: true
Hardware: x86_64 → x86
Summary: IonMonkey: Crash @ mozjs.dll@0xf571f → IonMonkey: crash @ JSRope::flattenInternal
Version: Trunk → 18 Branch
|
|
||
Updated•13 years ago
|
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)] → [@ JSRope::flattenInternal<int>(JSContext*)]
[@ JSRope::flattenInternal<(JSRope::UsingBarrier)1u>]
tracking-firefox18:
--- → ?
OS: Windows 7 → All
|
|
||
Comment 3•13 years ago
|
||
Note that this is being mentioned in bug 790663, possibly a way to repro this crash.
Easier way to reproduce.
1. Go to http://html5puzzle.appspot.com/
2. Click Play.
3. Wait a few seconds.
bp-9896c159-57e9-4987-9645-9e4e32120912
bp-a0805bca-95ae-4824-968c-ab5402120912
bp-fb70d73d-7238-4400-a3be-e0fa22120912
bp-2b9668e2-fa0c-40e1-a466-590442120912
bp-5037ac3d-7734-4cbd-9fdc-7726c2120912
bp-9bd3ef68-dc11-4a00-bf7c-a3c6e2120912
|
||
Comment 5•13 years ago
|
||
I get this in the profiler addon as well.
|
||
Updated•13 years ago
|
|
|
||
Comment 6•13 years ago
|
||
There are about 400 crashes per build.
|
||
Comment 7•13 years ago
|
||
http://seb.ly/demos/MMOsteroids.html causes Nightly to crash.
https://crash-stats.mozilla.com/report/index/bp-ad8cf2a6-2173-4333-96b9-bc1232120917
https://crash-stats.mozilla.com/report/index/bp-675f4733-65e6-45bf-bfe6-39c9d2120917
Probably not necessary at this point, but I'm attaching a windbg log anyways.
|
|
||
Comment 8•13 years ago
|
||
Changing the URL has this one is an immediate crash.
|
Assignee | |
Comment 9•13 years ago
|
||
I can reproduce this, it's a regalloc problem with LSetDomProperty. JSRope::flattenInternal is just one of the many places this will crash, so fixing it should hopefully also get rid of some other new topcrashes.
With bug 779411 this would have asserted immediately, will rebase and land that ASAP.
|
||
Comment 10•13 years ago
|
||
http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/ work fine for me with today's Nightly. Resolving duplicate of the bug that fixed them.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Comment 11•13 years ago
|
||
(In reply to Sean Stangl from comment #10)
> http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/
> work fine for me with today's Nightly. Resolving duplicate of the bug that
> fixed them.
>
> *** This bug has been marked as a duplicate of bug 779411 ***
Today's nightly doesn't even include that. Are you sure you were using a nightly build and not an hourly?
|
|
||
Comment 12•13 years ago
|
||
Hm, you're right that the nightly doesn't include that. I am using a nightly build, and as of today it no longer reproduces for me. I'll leave open for someone else to confirm tomorrow.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
||
Comment 13•13 years ago
|
||
I'm trying the latest Nightly and it doesn't crash anymore with the links posted previously. So I guess it's fixed.
|
|
||
Comment 14•13 years ago
|
||
(In reply to Loic from comment #13)
> I'm trying the latest Nightly and it doesn't crash anymore with the links
> posted previously. So I guess it's fixed.
Thanks!
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → DUPLICATE
|
||
Comment 15•13 years ago
|
||
I'm still crashing on http://www.syngames.net/game/braidjump on the latest nightly.
|
|
||
Comment 16•13 years ago
|
||
(In reply to Ben Hearsum [:bhearsum] from comment #15)
> I'm still crashing on http://www.syngames.net/game/braidjump on the latest
> nightly.
There are no crashes with this crash signature on the latest Nightly: https://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A18.0a1&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=JSRope%3A%3AflattenInternal&reason=&build_id=20120919030602&process_type=any&hang_type=any&do_query=1
|
|
||
Comment 17•13 years ago
|
||
Whoops, I thought bug 791589 was a dupe of this - sorry.
|
|
||
Updated•13 years ago
|
tracking-firefox18:
+ → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•