Bug 1047079

Summary: firefox.i686 - baseline jit crash
Product: [Fedora] Fedora Reporter: Doug Huffman <doug.huffman1>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: chrisa, doug.huffman1, gecko-bugs-nobody, luispetitt, skurtsev, stransky
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i686   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/287ea90b62fd63420c10eeb7ccee7bbb5439213b
Whiteboard: abrt_hash:5414ed28f37ed94d0d2a24444a86f2e9a97b1b80
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-19 17:44:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Doug Huffman 2013-12-28 21:36:32 UTC 
Description of problem:
Accessing the Wikipedia in not-Safe Mode with Adblock Plus add-on installed.  Note that there is no Mozilla Crash Reporter in this installation, nor a profile RESET button.

Version-Release number of selected component:
firefox-26.0-3.fc20

Additional info:
reporter:       libreport-2.1.10
backtrace_rating: 4
cmdline:        /usr/lib/firefox/firefox
crash_function: setInt32
executable:     /usr/lib/firefox/firefox
kernel:         3.12.5-302.fc20.i686+PAE
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 setInt32 at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/assembler/assembler/X86Assembler.h:3250
 #1 setRel32 at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/assembler/assembler/X86Assembler.h:3197
 #2 PatchJump at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/jit/x86/Assembler-x86.h:233
 #3 js::jit::IonRuntime::patchIonBackedges at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/jit/Ion.cpp:433
 #4 InterruptCheck at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/jit/VMFunctions.cpp:453
 #5 js::jit::CheckOverRecursedWithExtra at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/jit/VMFunctions.cpp:136
 #6 ??
 #7 ??
 #8 EnterBaseline at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/jit/BaselineJIT.cpp:121
 #9 js::jit::EnterBaselineMethod at /usr/src/debug/xulrunner-26.0/mozilla-release/js/src/jit/BaselineJIT.cpp:152

Potential duplicate: bug 1041671
Comment 1 Doug Huffman 2013-12-28 21:36:40 UTC 
Created attachment 842779 [details]
File: backtrace
Comment 2 Doug Huffman 2013-12-28 21:36:42 UTC 
Created attachment 842780 [details]
File: cgroup
Comment 3 Doug Huffman 2013-12-28 21:36:44 UTC 
Created attachment 842781 [details]
File: core_backtrace
Comment 4 Doug Huffman 2013-12-28 21:36:46 UTC 
Created attachment 842782 [details]
File: dso_list
Comment 5 Doug Huffman 2013-12-28 21:36:48 UTC 
Created attachment 842783 [details]
File: environ
Comment 6 Doug Huffman 2013-12-28 21:36:50 UTC 
Created attachment 842784 [details]
File: exploitable
Comment 7 Doug Huffman 2013-12-28 21:36:51 UTC 
Created attachment 842785 [details]
File: limits
Comment 8 Doug Huffman 2013-12-28 21:36:54 UTC 
Created attachment 842786 [details]
File: maps
Comment 9 Doug Huffman 2013-12-28 21:36:56 UTC 
Created attachment 842787 [details]
File: open_fds
Comment 10 Doug Huffman 2013-12-28 21:36:58 UTC 
Created attachment 842788 [details]
File: proc_pid_status
Comment 11 Doug Huffman 2013-12-28 21:36:59 UTC 
Created attachment 842789 [details]
File: var_log_messages
Comment 12 luis 2014-01-02 10:51:33 UTC 
Another user experienced a similar problem:

i was trying to save an image. when i clicked the ok button and  firefox crash.


reporter:       libreport-2.1.10
backtrace_rating: 4
cmdline:        /usr/lib/firefox/firefox
crash_function: setInt32
executable:     /usr/lib/firefox/firefox
kernel:         3.12.5-302.fc20.i686+PAE
package:        firefox-26.0-3.fc20
reason:         firefox killed by SIGSEGV
runlevel:       N 5
type:           CCpp
uid:            1000
Comment 13 Martin Stransky 2014-01-06 12:56:33 UTC 
This is an automated bug update. If you can reproduce the bug, please reopen and remove the [abrt] string from subject.

Thanks!
Comment 14 Christopher Archer 2014-01-07 04:10:33 UTC 
This bug is still happening in Fedora 20 with latest updates. Why was it just closed as WORKSFORME, and how can it be reopened?
Comment 15 Martin Stransky 2014-01-07 08:39:20 UTC 
Please try to disable baseline jit compiler (set javascript.options.baselinejit.* in about:config to false).
Comment 16 Martin Stransky 2014-09-15 13:30:30 UTC 
*** Bug 1041671 has been marked as a duplicate of this bug. ***
Comment 17 Martin Stransky 2014-09-15 13:34:11 UTC 
We're hitting various baseline jit crashes on i686 now. Still investigating. The ION jin engine is disabled right now for all i686 Fedora builds because the package even fails to build with it.

It also fails the JS tests so we have a reproducer for it. Interesting thing is that js fails only when build with "disable-debug" options.
Comment 18 Martin Stransky 2014-09-16 09:56:17 UTC 
Anyway, seems to be fixed on latest trunk.
Comment 19 Martin Stransky 2015-01-19 17:44:15 UTC 
Seems to be working fine now.