Closed
Bug 901333
Opened 11 years ago
Closed 9 years ago
crash in js::types::TypeSet::hasType(js::types::Type)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: wgianopoulos, Unassigned)
References
()
Details
(Keywords: crash, regression, reproducible)
Crash Data
This bug was filed from the Socorro interface and is report bp-50c16486-c8a3-4549-b498-86b392130804 . =============================================================
|
Reporter | |
Comment 1•11 years ago
|
||
I submitted this as a graphics bug rather than a javascript bug because it occurred in the WebGL conformance test. It also does NOT occur on another system I have also running Windows 7 64-bit that has NVIDIA graphics. graphics section of about:support is as follows: Graphics Adapter Description AMD Radeon(TM) HD 6520G Adapter Drivers aticfx64 aticfx64 aticfx64 aticfx32 aticfx32 aticfx32 atiumd64 atidxx64 atidxx64 atiumdag atidxx32 atidxx32 atiumdva atiumd6a atitmm64 Adapter RAM 512 Device ID 0x9647 Direct2D Enabled true DirectWrite Enabled true (6.2.9200.16571) Driver Date 10-13-2011 Driver Version 8.910.0.0 GPU #2 Active false GPU Accelerated Windows 1/1 Direct3D 10 Vendor ID 0x1002 WebGL Renderer Google Inc. -- ANGLE (AMD Radeon(TM) HD 6520G Direct3D9Ex vs_3_0 ps_3_0) windowLayerManagerRemote false AzureCanvasBackend direct2d AzureContentBackend direct2d AzureFallbackCanvasBackend cairo AzureSkiaAccelerated 0
|
|
Reporter | |
Comment 2•11 years ago
|
||
Changing the following preferences in about:config results in the following stack trace which might be more helpful: javascript.options.baselinejit.chrome;false javascript.options.baselinejit.content;false javascript.options.ion.content;false javascript.options.ion.parallel_compilation;false javascript.options.jit_hardening;false bp-c5ee72d1-40a2-41d3-9e03-c38e52130804
|
||
Comment 3•11 years ago
|
||
Crash for me on an Intel GPU so not a graphics bug: bp-fcfd7eb7-f7d4-4493-a214-5072a2130805 in the trunk, bp-d95f54a3-2875-446f-91ca-fd18b2130805 in 23.0 Beta, bp-c11a57b1-b0be-4b9b-b13f-759662130805 in 22.0 (same signature as in bug 799118). Using mozregression, the regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b672877ed046&tochange=0f7261e288f2
Assignee: nobody → general
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)] → [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) ]
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
Component: Graphics → JavaScript Engine
Keywords: regression,
reproducible
Version: Trunk → 22 Branch
|
|
Reporter | |
Comment 4•11 years ago
|
||
(In reply to Bill Gianopoulos [:WG9s] from comment #1) > occurred in the WebGL conformance test. It also does NOT occur on another > system I have also running Windows 7 64-bit that has NVIDIA graphics. It turns out this is NOT the case. It does crash on both configurations. It turns out that it does not crash on my own builds. As soon as a figure out the difference between my builds and the official builds I will try to bisect within the identified the regression range.
|
|
Reporter | |
Comment 5•11 years ago
|
||
Redoing this build with the same .mozconfig options as the official build did not help. I wonder if doing the build on a system with AMD64 makes a difference here.
|
|
Reporter | |
Comment 6•11 years ago
|
||
All that said I suspect this is a regression from bug 850548. I would like to either try backing it out of the official builds or changing it to make the fallback alignment be 8 rather than 4.
|
|
Reporter | |
Comment 7•11 years ago
|
||
(In reply to Bill Gianopoulos [:WG9s] from comment #6) > All that said I suspect this is a regression from bug 850548. I would like > to either try backing it out of the official builds or changing it to make > the fallback alignment be 8 rather than 4. Especially since the documentation on MSVC seems to say the alignment should be 8.
|
|
Reporter | |
Comment 8•11 years ago
|
||
My issue in duplicating this seems to be that it only fails on PGO builds.
|
|
Reporter | |
Comment 9•11 years ago
|
||
I will be unable to bisect withing the regression window as I had promised in comment 4, since this is only reproducible in PGO builds which require Visual C++ professional edition. I only have the Express version.
|
||
Comment 10•11 years ago
|
||
Seems this is also crashing http://magcius.github.io/bmdview.js/bmdview.html With similar crash reports like https://crash-stats.mozilla.com/report/index/86546717-daf8-4f51-bb52-ce7782130930
|
||
Comment 11•11 years ago
|
||
I think we need a tighter regression window to make meaningful progress. The alignment issue mentioned in comment 6 and 7 seems unlikely, given that it crashes with all JITs disabled. (Which it also does for Jasper, from an IRC conversation.)
Keywords: regressionwindow-wanted
|
Assignee | |
Updated•10 years ago
|
Assignee: general → nobody
|
||
Updated•9 years ago
|
Crash Signature: [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) ] → [@ js::types::TypeSet::hasType(js::types::Type)]
[@ js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) ]
[@ js::types::TypeSet::hasType]
[@ js::types::TypeMonitorResult ]
|
|
Reporter | |
Comment 13•9 years ago
|
||
I am unable to reproduce this crah with a current nightly build.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(wgianopoulos)
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
Keywords: regressionwindow-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•