Closed
Bug 612329
Opened 14 years ago
Closed 14 years ago
[Mac] Firefox 4.0b7 crash in [@ ReplaceCallback ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: marcia, Assigned: luke)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
Mac only crash seen while reviewing Beta 7 data. http://tinyurl.com/24ppjfj to the reports which are all x64.
One comments indicates: "Loading TinyMCE in my CMS"
Frame Module Signature [Expand] Source
0 @0x7fffffe00800
1 XUL ReplaceCallback js/src/jsstr.cpp:2238
2 XUL DoMatch js/src/jsstr.cpp:1842
3 XUL js::str_replace js/src/jsstr.cpp:2408
4 @0x12edd1385
5 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:739
6 XUL js::Invoke js/src/jsinterp.cpp:662
7 XUL js_fun_apply js/src/jsfun.cpp:2341
8 @0x13bdac1b0
9 XUL XUL@0xefa30f
10 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:739
11 XUL js::Invoke js/src/jsinterp.cpp:662
12 XUL js_fun_apply js/src/jsfun.cpp:2341
13 @0x13bdac1b0
14 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:739
15 XUL js::Invoke js/src/jsinterp.cpp:662
16 XUL js::ExternalInvoke js/src/jsinterp.cpp:881
17 XUL JS_CallFunctionValue js/src/jsinterp.h:954
18 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2171
19 XUL nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:228
20 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1112
21 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1208
22 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:146
23 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:628
24 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6938
25 XUL PresShell::HandleEventWithTarget layout/base/nsPresShell.cpp:6787
26 XUL nsEventStateManager::CheckForAndDispatchClick content/events/src/nsEventStateManager.cpp:4051
27 XUL nsEventStateManager::PostHandleEvent content/events/src/nsEventStateManager.cpp:2959
28 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6961
29 XUL PresShell::HandlePositionedEvent layout/base/nsPresShell.cpp:6772
30 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6625
31 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6382
32 XUL nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1092
33 XUL HandleEvent view/src/nsView.cpp:161
34 XUL nsChildView::DispatchEvent widget/src/cocoa/nsChildView.mm:1786
35 XUL nsChildView::DispatchWindowEvent widget/src/cocoa/nsChildView.mm:1796
36 XUL -[ChildView mouseUp:] widget/src/cocoa/nsChildView.mm:3278
37 AppKit AppKit@0x13d3d8
38 CoreFoundation CoreFoundation@0x2232a
39 CoreFoundation CoreFoundation@0x1052b
40 libSystem.B.dylib libSystem.B.dylib@0x66b3
41 CoreFoundation CoreFoundation@0x65f1
42 CoreFoundation CoreFoundation@0xfcd6
43 CoreFoundation CoreFoundation@0x1052b
44 CoreFoundation CoreFoundation@0xfb2e
45 CoreFoundation CoreFoundation@0xfcd6
46 CoreFoundation CoreFoundation@0xfb2e
47 libSystem.B.dylib libSystem.B.dylib@0x6bf9
48 Foundation Foundation@0x61df
49 libobjc.A.dylib libobjc.A.dylib@0x619f
50 XUL -[ToolbarWindow sendEvent:] widget/src/cocoa/nsCocoaWindow.mm:2342
51 AppKit AppKit@0x72a85
52 CoreFoundation CoreFoundation@0x24688
53 AppKit AppKit@0x714a8
54 AppKit AppKit@0x749ec7
55 AppKit AppKit@0x749ec7
56 AppKit AppKit@0x43ac5
57 CoreFoundation CoreFoundation@0x1052b
58 XUL NewBuiltinClassInstanceXML js/src/jsobjinlines.h:222
59 @0x4093a7ffffffffff
60 CoreFoundation CoreFoundation@0x24814
61 AppKit AppKit@0x77e03f
62 AppKit AppKit@0x94d9
63 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:746
64 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:191
65 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3682
66 firefox-bin main browser/app/nsBrowserApp.cpp:158
67 firefox-bin firefox-bin@0x1953
Assignee | ||
Comment 1•14 years ago
|
||
This crash happens at a random address called by ReplaceCallback. The only indirect call I can find in an inlinable call below ReplaceCallback is the one to InvokeSessionGuard::invoke. This could crash if code_ becomes invalid. Checking with dvander, this can actually happen (script recompilation in debug mode), but its not likely to be the cause of this crash (none of the crash signatures show a debugger like Firebug loaded). This patch fixes the bug (by not using the optimized Gatling-gun path if debug mode is on) and inserts a characteristic release-build assert to catch any other ways that somehow invokeEntry is changing.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #490716 -
Flags: review?(dmandelin)
Attachment #490716 -
Flags: approval2.0?
Updated•14 years ago
|
Attachment #490716 -
Flags: review?(dmandelin)
Attachment #490716 -
Flags: review+
Attachment #490716 -
Flags: approval2.0?
Attachment #490716 -
Flags: approval2.0+
Assignee | ||
Comment 2•14 years ago
|
||
I landed http://hg.mozilla.org/tracemonkey/rev/364f66956170 on tracemonkey, which should be merged to m-c pretty soon. Then we can see if these crashes decrease and/or the release-mode assert is hitting.
Comment 3•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 4•14 years ago
|
||
The patch landed was a diagnostic and does not fix this crash.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 5•14 years ago
|
||
b8pre shows two crashes at the magic 0x101 address, so it seems that invokeEntry is still somehow changing. In light of this and upcoming changes in bug 617656 the gatlin gun should not cache the code pointer.
Assignee | ||
Comment 6•14 years ago
|
||
Fortunately, this doesn't seem to hurt the overall speedup of the Gatling gun over normal Invoke (still around 30%).
Attachment #490716 -
Attachment is obsolete: true
Attachment #498357 -
Flags: review?(jwalden+bmo)
Updated•14 years ago
|
Attachment #498357 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/da972b14d0a4
I won't mark this fixed-in-tracemonkey yet.
It breaks builds with disable-methodjit.
+ if (!optimized() || !(code = script_->getJIT(false /* !constructing */)->invokeEntry))
return Invoke(cx, args_, 0);
Error: getJIT is not a member of JSScript.
OS: Mac OS X → Windows 7
Assignee | ||
Comment 10•14 years ago
|
||
This looks fixed; no b9pre crashes since the magic 0x101 went away.
Assignee | ||
Comment 11•14 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Crash Signature: [@ ReplaceCallback ]
You need to log in
before you can comment on or make changes to this bug.
Description
•