Closed Bug 795150 Opened 9 years ago Closed 9 years ago

IonMonkey: Crash in TestShouldDOMCall

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
18 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18

People

(Reporter: vladan, Assigned: efaust)

References

(
URL
)

Details

(Keywords: crash, regression, reproducible, Whiteboard: [ion:t])

Crash Data

Attachments

(1 file)

Fix
783 bytes, patch
bzbarsky
: review+
Details | Diff | Splinter Review 
While opening the Gecko Profiler page, I got a crash on a NULL pointer access in TestShouldDOMCall.

My crash report:

https://crash-stats.mozilla.com/report/index/57292627-7595-4ebc-8df3-933c72120927

Offending line:

http://hg.mozilla.org/mozilla-central/annotate/b038e9e2023f/js/src/ion/IonBuilder.cpp#l5550
Based on a comment, I found an URL that crashes Firefox.

More reports at: https://crash-stats.mozilla.com/report/list?signature=TestShouldDOMCall
URL: http://107.21.233.14:8877/928b474936e...
Severity: normal → critical
Crash Signature: [@ TestShouldDOMCall]
Keywords: crash, regression, reproducible
OS: Windows 7 → All
Hardware: x86_64 → All
Version: 16 Branch → 18 Branch
Eric, does anything obvious stick out here? Since it's a NPE, might be easy to tell from the crashing line and source code.
Whiteboard: [ion:t]
Uh, looks like It's executing in a runtime without any DOM stuff executing? Those callbacks are set in nsJSRuntime::Init().
I hear this crash happens in the profiler?

Does the profiler run things under strangely initialized JSRuntimes?
Attached patch FixSplinter Review 
So, after a little more digging, I discovered the root of the problem. We were compiling on a worker thread, which didn't have the callbacks. Normally, for various reasons, the callbacks that run on the main thread are not installed for workers, but in this case, it should be safe to do so. Rather than have the optimization only work on the main thread, we have added the appropriate callback to worker thread JSRuntimes.

The pdf of the paper in that link now loads nicely.
Assignee: general → efaustbmo
Status: NEW → ASSIGNED
Attachment #667512 - Flags: review?(bzbarsky)
Comment on attachment 667512 [details] [diff] [review]
Fix

r=me
Attachment #667512 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/e9633e93b7e2

Should this have a crashtest?
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.