Mac only crash seen while reviewing Beta 7 data. http://tinyurl.com/24ppjfj to the reports which are all x64. One comments indicates: "Loading TinyMCE in my CMS" Frame Module Signature [Expand] Source 0 @0x7fffffe00800 1 XUL ReplaceCallback js/src/jsstr.cpp:2238 2 XUL DoMatch js/src/jsstr.cpp:1842 3 XUL js::str_replace js/src/jsstr.cpp:2408 4 @0x12edd1385 5 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:739 6 XUL js::Invoke js/src/jsinterp.cpp:662 7 XUL js_fun_apply js/src/jsfun.cpp:2341 8 @0x13bdac1b0 9 XUL XUL@0xefa30f 10 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:739 11 XUL js::Invoke js/src/jsinterp.cpp:662 12 XUL js_fun_apply js/src/jsfun.cpp:2341 13 @0x13bdac1b0 14 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:739 15 XUL js::Invoke js/src/jsinterp.cpp:662 16 XUL js::ExternalInvoke js/src/jsinterp.cpp:881 17 XUL JS_CallFunctionValue js/src/jsinterp.h:954 18 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2171 19 XUL nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:228 20 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1112 21 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1208 22 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:146 23 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:628 24 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6938 25 XUL PresShell::HandleEventWithTarget layout/base/nsPresShell.cpp:6787 26 XUL nsEventStateManager::CheckForAndDispatchClick content/events/src/nsEventStateManager.cpp:4051 27 XUL nsEventStateManager::PostHandleEvent content/events/src/nsEventStateManager.cpp:2959 28 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6961 29 XUL PresShell::HandlePositionedEvent layout/base/nsPresShell.cpp:6772 30 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6625 31 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6382 32 XUL nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1092 33 XUL HandleEvent view/src/nsView.cpp:161 34 XUL nsChildView::DispatchEvent widget/src/cocoa/nsChildView.mm:1786 35 XUL nsChildView::DispatchWindowEvent widget/src/cocoa/nsChildView.mm:1796 36 XUL -[ChildView mouseUp:] widget/src/cocoa/nsChildView.mm:3278 37 AppKit AppKit@0x13d3d8 38 CoreFoundation CoreFoundation@0x2232a 39 CoreFoundation CoreFoundation@0x1052b 40 libSystem.B.dylib libSystem.B.dylib@0x66b3 41 CoreFoundation CoreFoundation@0x65f1 42 CoreFoundation CoreFoundation@0xfcd6 43 CoreFoundation CoreFoundation@0x1052b 44 CoreFoundation CoreFoundation@0xfb2e 45 CoreFoundation CoreFoundation@0xfcd6 46 CoreFoundation CoreFoundation@0xfb2e 47 libSystem.B.dylib libSystem.B.dylib@0x6bf9 48 Foundation Foundation@0x61df 49 libobjc.A.dylib libobjc.A.dylib@0x619f 50 XUL -[ToolbarWindow sendEvent:] widget/src/cocoa/nsCocoaWindow.mm:2342 51 AppKit AppKit@0x72a85 52 CoreFoundation CoreFoundation@0x24688 53 AppKit AppKit@0x714a8 54 AppKit AppKit@0x749ec7 55 AppKit AppKit@0x749ec7 56 AppKit AppKit@0x43ac5 57 CoreFoundation CoreFoundation@0x1052b 58 XUL NewBuiltinClassInstanceXML js/src/jsobjinlines.h:222 59 @0x4093a7ffffffffff 60 CoreFoundation CoreFoundation@0x24814 61 AppKit AppKit@0x77e03f 62 AppKit AppKit@0x94d9 63 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:746 64 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:191 65 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3682 66 firefox-bin main browser/app/nsBrowserApp.cpp:158 67 firefox-bin firefox-bin@0x1953

This crash happens at a random address called by ReplaceCallback. The only indirect call I can find in an inlinable call below ReplaceCallback is the one to InvokeSessionGuard::invoke. This could crash if code_ becomes invalid. Checking with dvander, this can actually happen (script recompilation in debug mode), but its not likely to be the cause of this crash (none of the crash signatures show a debugger like Firebug loaded). This patch fixes the bug (by not using the optimized Gatling-gun path if debug mode is on) and inserts a characteristic release-build assert to catch any other ways that somehow invokeEntry is changing.

I landed http://hg.mozilla.org/tracemonkey/rev/364f66956170 on tracemonkey, which should be merged to m-c pretty soon. Then we can see if these crashes decrease and/or the release-mode assert is hitting.

The patch landed was a diagnostic and does not fix this crash.

b8pre shows two crashes at the magic 0x101 address, so it seems that invokeEntry is still somehow changing. In light of this and upcoming changes in bug 617656 the gatlin gun should not cache the code pointer.

Fortunately, this doesn't seem to hurt the overall speedup of the Gatling gun over normal Invoke (still around 30%).

http://hg.mozilla.org/tracemonkey/rev/da972b14d0a4 I won't mark this fixed-in-tracemonkey yet.

It breaks builds with disable-methodjit. + if (!optimized() || !(code = script_->getJIT(false /* !constructing */)->invokeEntry)) return Invoke(cx, args_, 0); Error: getJIT is not a member of JSScript.

(In reply to comment #8) > It breaks builds with disable-methodjit. Bug 623277 is fixing this.

This looks fixed; no b9pre crashes since the magic 0x101 went away.