Closed
Bug 883562
Opened 11 years ago
Closed 11 years ago
Crash [@ js::ObjectImpl::getSlot(unsigned int) ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | unaffected |
| firefox24 | + | verified |
People
(Reporter: gps, Assigned: bhackett1024)
References
()
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
1.53 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
I am able to reproduce crashes on 2013-06-15 Nightly on Windows 7 by doing the following:
1) Load http://bl.ocks.org/mbostock/1667367
2) Place mouse in the lower chart, click and hold, and start moving left and right.
3) Crash occurs within a few mouse movements.
Crashes:
https://crash-stats.mozilla.com/report/index/bp-ec89df91-632c-4365-931d-105152130615
https://crash-stats.mozilla.com/report/index/bp-f886c393-6e5f-4763-9c11-bfc472130615
https://crash-stats.mozilla.com/report/index/bp-7fa7b653-96e0-4d32-ad9a-369be2130615
https://crash-stats.mozilla.com/report/index/bp-eec74f19-8e66-4302-8c1e-ae03c2130615
Unfortunately, I cannot reproduce in safe mode. I have a number of add-ons installed.
I can load up Visual Studio and try to debug things if that will be helpful. Just needinfo me.
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)]
Keywords: crash
|
||
Comment 1•11 years ago
|
||
I can reproduce.
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317
Stack trace:
Frame Module Signature Source
0 mozjs.dll js::ObjectImpl::getSlot js/src/vm/ObjectImpl.h:1400
1 mozjs.dll InitFromBailout js/src/ion/BaselineBailouts.cpp:478
2 mozjs.dll js::ion::BailoutIonToBaseline js/src/ion/BaselineBailouts.cpp:1086
3 mozjs.dll js::ion::Bailout js/src/ion/Bailouts.cpp:81
4 @0x2bb6f8
5 @0x4
6 mozjs.dll js::ToNumberSlow js/src/jsnum.cpp:1463
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AObjectImpl%3A%3AgetSlot%28unsigned+int%29
Severity: normal → critical
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
tracking-firefox24:
--- → ?
Hardware: x86_64 → x86
Version: unspecified → 24 Branch
|
||
Comment 2•11 years ago
|
||
Regression window(m-i)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/18c1fd169792
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/ce43d28276e4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911
Pushlog
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=18c1fd169792&tochange=ce43d28276e4
Suspected: Bug 678037
Blocks: LazyBytecode
|
|
||
Comment 3•11 years ago
|
||
bp-0754b676-60bd-4eb2-a084-b64702130615
Immediately crash when open http://bl.ocks.org/mbostock/4060954
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] → [@ js::ObjectImpl::getSlot(unsigned int)]
[@ JSScript::filename() const]
OS: Windows 7 → All
Hardware: x86 → All
|
||
Comment 4•11 years ago
|
||
|
Assignee | |
Comment 5•11 years ago
|
||
I think this will fix these crashes (haven't confirmed). Bailing out from baseline would assume that functions read from the stack have a non lazy script, which might not be the case for the callees of inlined Ion frames (see bug 883630).
Assignee: general → bhackett1024
Attachment #763259 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 6•11 years ago
|
||
Pushing ahead of review to see if the crashes get fixed.
https://hg.mozilla.org/integration/mozilla-inbound/rev/14fc609da59a
|
|
||
Updated•11 years ago
|
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)]
[@ JSScript::filename() const] → [@ js::ObjectImpl::getSlot(unsigned int)]
[@ JSScript::filename() const ]
|
||
Comment 8•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
|
||
Updated•11 years ago
|
|
||
Updated•11 years ago
|
Attachment #763259 -
Flags: review?(jdemooij) → review+
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)]
[@ JSScript::filename() const ] → [@ js::ObjectImpl::getSlot(unsigned int)]
[@ JSScript::filename() const ]
[@ js::ion::SnapshotIterator::slotValue(js::ion::SnapshotReader::Slot const&) ]
|
||
Comment 10•11 years ago
|
||
Verified as fixed with Firefox 24 beta 8 (build ID: 20130902131354), on Mac OSX 10.7.5, Ubuntu 12.10 32bit and Win 8 32bit. No more crashing with the URLs from comment 0, comment 3 and comment 4.
Reports from Socorro, regarding last month:
1) for the first signature, there are 9 crashes with 24.0b7
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AObjectImpl%3A%3AgetSlot%28unsigned+int%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-09-03+08%3A00%3A00&range_value=4
2) for the second signature, there aren't any crashes regarding last month
3) for the third signature, there are 2 crashes with 24.0b5
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3ASnapshotIterator%3A%3AslotValue%28js%3A%3Aion%3A%3ASnapshotReader%3A%3ASlot+const%26%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-09-03+08%3A00%3A00&range_value=4
QA Contact: manuela.muntean
You need to log in
before you can comment on or make changes to this bug.
Description
•