This bug was filed from the Socorro interface and is report bp-8fd116dd-264c-435a-a40b-53b9f2130923. ============================================================= Caught during Android UI fuzzing. Need manual steps.

Aaron, are you still seeing this? Can you get us a testcase or something? Marty, Doug: based on the signature and crash report, can you guys see if this is a known problem?

I do not have any manual steps. I've only caught this once when filed. Looking at the crash volume there's only about 8 crashes starting in Firefox 25 (that match this signature).

From Comment 0 Stack: Frame Module Signature Source 0 libxul.so js::jit::Assembler::bind(js::jit::Label*, js::jit::BufferOffset) js/src/jit/shared/IonAssemblerBuffer.h 1 libxul.so void js::jit::MacroAssembler::patchableCallPreBarrier<js::jit::Address>(js::jit::Address const&, js::jit::MIRType) js/src/jit/IonMacroAssembler.h 2 libxul.so js::jit::BaselineCompiler::emit_JSOP_SETALIASEDVAR() js/src/jit/BaselineCompiler.cpp 3 libxul.so js::jit::BaselineCompiler::emitBody() js/src/jit/BaselineCompiler.cpp 4 libxul.so js::jit::BaselineCompiler::compile() js/src/jit/BaselineCompiler.cpp 5 libxul.so BaselineCompile js/src/jit/BaselineJIT.cpp 6 libxul.so CanEnterBaselineJIT js/src/jit/BaselineJIT.cpp 7 libxul.so js::jit::CanEnterBaselineAtBranch(JSContext*, js::StackFrame*, bool) js/src/jit/BaselineJIT.cpp 8 libxul.so Interpret js/src/vm/Interpreter.cpp 9 libxul.so js::RunScript js/src/vm/Interpreter.cpp 10 libxul.so js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp 11 libxul.so JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) js/src/jsapi.cpp 12 libxul.so nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) dom/base/nsJSUtils.cpp 13 libxul.so nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) dom/base/nsJSEnvironment.cpp 14 libxul.so nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&, void**) content/base/src/nsScriptLoader.cpp 15 libxul.so nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) content/base/src/nsScriptLoader.cpp 16 libxul.so nsScriptLoader::ProcessOffThreadRequest(void**) content/base/src/nsScriptLoader.cpp 17 libxul.so NotifyOffThreadScriptLoadCompletedRunnable::Run content/base/src/nsScriptLoader.cpp 18 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 19 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 20 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 21 libxul.so MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc 22 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 23 libxul.so nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 24 libxul.so nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 25 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 26 libxul.so XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp 27 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp 28 libxul.so GeckoStart toolkit/xre/nsAndroidStartup.cpp 29 libmozglue.so Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun mozglue/android/APKOpen.cpp 30 libdvm.so libdvm.so@0x1dc4e 31 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x1f5bfe 32 dalvik-heap (deleted) dalvik-heap (deleted)@0x8c9a76 33 dalvik-heap (deleted) dalvik-heap (deleted)@0xa0627e 34 libdvm.so libdvm.so@0x4ded1 35 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x1f5bfc 36 libmozglue.so report_mapping mozglue/android/APKOpen.cpp 37 libmozglue.so report_mapping mozglue/android/APKOpen.cpp 38 @0x7337a002 39 libdvm.so libdvm.so@0x4fb01 40 libdvm.so libdvm.so@0x9d48c 41 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc (deleted)@0x3446 42 libdvm.so libdvm.so@0x5ff23 43 libdvm.so libdvm.so@0xa9c86 44 dalvik-heap (deleted) dalvik-heap (deleted)@0xa5d5b6 45 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc (deleted)@0x3010fa 46 dalvik-heap (deleted) dalvik-heap (deleted)@0x8c9a76 47 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc (deleted)@0x3010e6 48 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x21836b 49 libdvm.so libdvm.so@0x6b429 50 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x21836b 51 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x59caa 52 dalvik-heap (deleted) dalvik-heap (deleted)@0x8c9a76 53 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x21836b 54 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x2d9ffe 55 libdvm.so libdvm.so@0x4fa07 56 libdvm.so libdvm.so@0xa9c86 57 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc (deleted)@0x3010e6 58 libdvm.so libdvm.so@0x4dd3f 59 libdvm.so libdvm.so@0xae19e 60 libdvm.so libdvm.so@0xa9c86 61 dalvik-heap (deleted) dalvik-heap (deleted)@0xa0627e 62 libdvm.so libdvm.so@0x4f8bd 63 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0xefcf0 64 dalvik-heap (deleted) dalvik-heap (deleted)@0x8c9a76 65 libdvm.so libdvm.so@0x1ddbe 66 libdvm.so libdvm.so@0x27062 67 libdvm.so libdvm.so@0x2df06 68 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc (deleted)@0x31527e 69 dalvik-heap (deleted) dalvik-heap (deleted)@0xa0627e 70 libdvm.so libdvm.so@0x2b5ee 71 data@app@org.mozilla.fennec-1.apk@classes.dex data@app@org.mozilla.fennec-1.apk@classes.dex@0x1f55eb 72 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc (deleted)@0x31527e 73 libdvm.so libdvm.so@0x5ff23 74 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc (deleted)@0x31527e 75 dalvik-heap (deleted) dalvik-heap (deleted)@0xa0627e 76 libdvm.so libdvm.so@0xae19e 77 libdvm.so libdvm.so@0xae4aa 78 libdvm.so libdvm.so@0xae4a6 79 libdvm.so libdvm.so@0x5ff4d 80 libdvm.so libdvm.so@0x54ccd 81 dalvik-mark-stack (deleted) dalvik-mark-stack (deleted)@0x908f545 82 libdvm.so libdvm.so@0x54c2b 83 libc.so libc.so@0xca5a 84 libc.so libc.so@0xcbd6

B2G is also seeing this issue: https://crash-stats.mozilla.com/report/list?product=B2G&signature=js%3A%3Ajit%3A%3AAssembler%3A%3Abind%28js%3A%3Ajit%3A%3ALabel*%2C+js%3A%3Ajit%3A%3ABufferOffset%29

(In reply to Jan de Mooij [:jandem] from comment #1) > Aaron, are you still seeing this? Can you get us a testcase or something? > > Marty, Doug: based on the signature and crash report, can you guys see if > this is a known problem? The code looks like a simple of 'bind'. There are known problems with labels and very large blocks of code, and this might be resolved by the work in bug 760642.