Closed
Bug 790464
Opened 12 years ago
Closed 12 years ago
IonMonkey: crash @ JSRope::flattenInternal
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 779411
People
(Reporter: ferongr, Assigned: jandem)
References
()
Details
(4 keywords, Whiteboard: [ion:p1:fx18])
Crash Data
Attachments
(1 file)
1.09 MB,
text/plain
|
Details |
Using a 32bit Nightly hourly after Ion landed. Cset: fdfaef738a00 Go to the pdf.js web demo (see URL field) and start zooming in and out of the example PDF using the reader's toolbar buttons. After some 10-20 zoom changes the browser crashes. Example crash IDs follow. bp-d34e08ee-4f07-4235-bf6b-191712120911 bp-fe76d5e6-9b4e-4151-adb2-a464c2120911 bp-3f59cb80-66e6-4779-87e6-f09b12120911 bp-ece93ac7-2b35-4ae1-a1e9-3bac12120911 bp-12a2ada1-cacb-4698-8711-c9c5c2120911
Updated•12 years ago
|
No longer blocks: IonMonkey
Summary: Crash @ mozjs.dll@0xf571f → IonMonkey: Crash @ mozjs.dll@0xf571f
Whiteboard: [ion:p1:fx18]
Comment 1•12 years ago
|
||
Tried against http://hg.mozilla.org/projects/ionmonkey/rev/01f6ddbb6542 bp-e557e340-edf3-40cc-b207-a80722120912 Frame Module Signature Source 0 mozjs.dll JSRope::flattenInternal<1> js/src/vm/String.cpp:241 1 mozjs.dll JS_GetStringCharsZAndLength js/src/jsapi.cpp:6192 2 xul.dll mozilla::dom::ConvertJSValueToString obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1005 3 xul.dll mozilla::dom::CanvasRenderingContext2DBinding::set_font obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2135 4 @0x69eb296
Comment 2•12 years ago
|
||
It's currently #1 top crasher in today's nightly. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=96287ad60bef&tochange=fdfaef738a00 More reports at: https://crash-stats.mozilla.com/report/list?signature=JSRope%3A%3AflattenInternal%3Cint%3E%28JSContext*%29
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)]
Ever confirmed: true
Hardware: x86_64 → x86
Summary: IonMonkey: Crash @ mozjs.dll@0xf571f → IonMonkey: crash @ JSRope::flattenInternal
Version: Trunk → 18 Branch
Updated•12 years ago
|
Crash Signature: [@ JSRope::flattenInternal<int>(JSContext*)] → [@ JSRope::flattenInternal<int>(JSContext*)]
[@ JSRope::flattenInternal<(JSRope::UsingBarrier)1u>]
tracking-firefox18:
--- → ?
OS: Windows 7 → All
Comment 3•12 years ago
|
||
Note that this is being mentioned in bug 790663, possibly a way to repro this crash.
Easier way to reproduce. 1. Go to http://html5puzzle.appspot.com/ 2. Click Play. 3. Wait a few seconds. bp-9896c159-57e9-4987-9645-9e4e32120912 bp-a0805bca-95ae-4824-968c-ab5402120912 bp-fb70d73d-7238-4400-a3be-e0fa22120912 bp-2b9668e2-fa0c-40e1-a466-590442120912 bp-5037ac3d-7734-4cbd-9fdc-7726c2120912 bp-9bd3ef68-dc11-4a00-bf7c-a3c6e2120912
Comment 5•12 years ago
|
||
I get this in the profiler addon as well.
Updated•12 years ago
|
Comment 6•12 years ago
|
||
There are about 400 crashes per build.
Comment 7•12 years ago
|
||
http://seb.ly/demos/MMOsteroids.html causes Nightly to crash. https://crash-stats.mozilla.com/report/index/bp-ad8cf2a6-2173-4333-96b9-bc1232120917 https://crash-stats.mozilla.com/report/index/bp-675f4733-65e6-45bf-bfe6-39c9d2120917 Probably not necessary at this point, but I'm attaching a windbg log anyways.
Comment 8•12 years ago
|
||
Changing the URL has this one is an immediate crash.
Assignee | ||
Comment 9•12 years ago
|
||
I can reproduce this, it's a regalloc problem with LSetDomProperty. JSRope::flattenInternal is just one of the many places this will crash, so fixing it should hopefully also get rid of some other new topcrashes. With bug 779411 this would have asserted immediately, will rebase and land that ASAP.
Comment 10•12 years ago
|
||
http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/ work fine for me with today's Nightly. Resolving duplicate of the bug that fixed them.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Comment 11•12 years ago
|
||
(In reply to Sean Stangl from comment #10) > http://seb.ly/demos/MMOsteroids.html and http://html5puzzle.appspot.com/ > work fine for me with today's Nightly. Resolving duplicate of the bug that > fixed them. > > *** This bug has been marked as a duplicate of bug 779411 *** Today's nightly doesn't even include that. Are you sure you were using a nightly build and not an hourly?
Comment 12•12 years ago
|
||
Hm, you're right that the nightly doesn't include that. I am using a nightly build, and as of today it no longer reproduces for me. I'll leave open for someone else to confirm tomorrow.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 13•12 years ago
|
||
I'm trying the latest Nightly and it doesn't crash anymore with the links posted previously. So I guess it's fixed.
Comment 14•12 years ago
|
||
(In reply to Loic from comment #13) > I'm trying the latest Nightly and it doesn't crash anymore with the links > posted previously. So I guess it's fixed. Thanks!
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → DUPLICATE
Comment 15•12 years ago
|
||
I'm still crashing on http://www.syngames.net/game/braidjump on the latest nightly.
Comment 16•12 years ago
|
||
(In reply to Ben Hearsum [:bhearsum] from comment #15) > I'm still crashing on http://www.syngames.net/game/braidjump on the latest > nightly. There are no crashes with this crash signature on the latest Nightly: https://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A18.0a1&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=JSRope%3A%3AflattenInternal&reason=&build_id=20120919030602&process_type=any&hang_type=any&do_query=1
Comment 17•12 years ago
|
||
Whoops, I thought bug 791589 was a dupe of this - sorry.
Updated•12 years ago
|
tracking-firefox18:
+ → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•