Closed Bug 846084 Opened 12 years ago Closed 6 years ago

crashes [@ getArgType] selecting keywords in bugzilla enter_bug.cgi

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: dbaron, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

I've crashed twice in the last two days manipulating the keywords field on https://bugzilla.mozilla.org/enter_bug.cgi?product=Core The steps to reproduce basically involve: * click in the keywords field * type "inter" (roughly) in the keywords field * click on "intermittent-failure" * click in the keywords field again * start to type "assertion, crash" and the browser crashes. #5 getArgType (i=<optimized out>, this=<optimized out>) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.h:699 #6 js::ion::IonBuilder::addTypeBarrier (this=0xd39a4f8, i=<optimized out>, callinfo=..., calleeObs=0x99a6098) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.cpp:3030 #7 0x00007fc65453b673 in js::ion::IonBuilder::inlineScriptedCall (this=0xd39a4f8, target=..., callInfo=...) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.cpp:2957 #8 0x00007fc65453c8e0 in js::ion::IonBuilder::inlineScriptedCalls (this=0xd39a4f8, targets=..., originals=..., callInfo=...) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.cpp:3562 #9 0x00007fc65453d935 in js::ion::IonBuilder::jsop_call (this=0xd39a4f8, argc=<optimized out>, constructing=249) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.cpp:4215 #10 0x00007fc65453e491 in js::ion::IonBuilder::inspectOpcode (this=0xd39a4f8, op=JSOP_CALL) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.cpp:943 #11 0x00007fc65453a38d in js::ion::IonBuilder::traverseBytecode (this=0xd39a4f8) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.cpp:690 #12 0x00007fc65453ee3e in js::ion::IonBuilder::build (this=0xd39a4f8) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/IonBuilder.cpp:352 #13 0x00007fc6545147d8 in js::ion::SequentialCompileContext::compile (this=<optimized out>, builder=0xd39a4f8, graph=0xd39a448, autoDelete=...) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/Ion.cpp:1240 #14 0x00007fc654515088 in IonCompile<js::ion::SequentialCompileContext> (compileContext=..., constructing=false, osrPc=0x2 <Address 0x2 out of bounds>, fun=0x7fc5a9e2fc80, script=0x7fc5a9e55b50, cx=0xd8d0db0) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/Ion.cpp:1195 #15 js::ion::Compile<js::ion::SequentialCompileContext> (cx=0xd8d0db0, script=..., fun=..., osrPc=0x2 <Address 0x2 out of bounds>, constructing=false, compileContext=...) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/Ion.cpp:1415 #16 0x00007fc654515c5e in js::ion::CanEnter (cx=0xd8d0db0, script=0x7fc5a9e55b50, fp=..., isConstructing=false, newType=false) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/Ion.cpp:1515 #17 0x00007fc654316422 in js::RunScript (cx=0xd8d0db0, fp=0x7fc623c00518) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jsinterp.cpp:297 #18 0x00007fc654316e2f in js::InvokeKernel (cx=0xd8d0db0, args=..., construct=js::NO_CONSTRUCT) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jsinterp.cpp:381 #19 0x00007fc65427aadd in js::Invoke (cx=<optimized out>, args=..., construct=<optimized out>) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jsinterp.h:135 #20 0x00007fc654317831 in js::Invoke (cx=0xd8d0db0, thisv=..., fval=..., argc=<optimized out>, argv=<optimized out>, rval=0x7fff19f861e8) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jsinterp.cpp:414 #21 0x00007fc65459eebc in js::ion::InvokeFunction (cx=0xd8d0db0, fun0=..., argc=1, argv=0x7fff19f86228, rval=0x7fff19f861e8) at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/ion/VMFunctions.cpp:112 #22 0x00007fc6019745cf in ?? () #23 0x00007fff19f86298 in ?? ()
Severity: normal → critical
Crash Signature: [@ getArgType() ]
This is a regression from Bug 796114.
Blocks: 796114
Flags: needinfo?(nicolas.b.pierron)
I haven't found any recent crash reported in crash-stat. So far I have no clue what this bug is related to. I tried to look at follow-up bugs of Bug 796114, but I cannot find one which might have fix an issue related to the stack trace pasted in comment 0. I might either miss something in the previous patches, or the bug has been indirectly fixed by Bug 849781.
Flags: needinfo?(nicolas.b.pierron)
Assignee: general → nobody
Crash Signature: [@ getArgType() ] → [@ getArgType() ] [@ getArgType ]
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.