[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: gcc-mozilla (Ubuntu Precise) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
** Branch unlinked: lp:firefox -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
This bug was fixed in the package gcc-4.8 - 4.8.5-4ubuntu3 --- gcc-4.8 (4.8.5-4ubuntu3) yakkety; urgency=medium * Fix libjava testsuite with dejagnu 1.6, taken from the trunk. * Fix PR rtl-optimization/68955, PR rtl-optimization/64557, taken from 4.9. LP: #1471949. * Bump standards version. -- Matthias Klose Fri, 06 May 2016 19:03:29 +0200 ** Changed in: gcc-4.8 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
** No longer affects: gcc-mozilla (Ubuntu Trusty) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
** Also affects: gcc-4.8 (Ubuntu) Importance: Undecided Status: New ** Also affects: firefox (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: gcc-4.8 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: gcc-mozilla (Ubuntu Trusty) Importance: Undecided Status: New ** No longer affects: gcc-4.8 (Ubuntu Precise) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
** Also affects: gcc-mozilla (Ubuntu) Importance: Undecided Status: New ** Changed in: gcc-mozilla (Ubuntu) Status: New => Invalid ** Changed in: gcc-mozilla (Ubuntu Precise) Status: New => Fix Committed ** Changed in: gcc-mozilla (Ubuntu Precise) Importance: Undecided => Critical ** Changed in: firefox (Ubuntu Precise) Status: Triaged => Fix Released ** Changed in: firefox (Ubuntu Precise) Assignee: (unassigned) => Chris Coulson (chrisccoulson) ** Changed in: gcc-mozilla (Ubuntu Precise) Assignee: (unassigned) => Chris Coulson (chrisccoulson) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Which gcc version do the Mozilla developers use, because it seems as if their builds of Firefox 39 do not crash right on startup or within a few seconds thereafter. Would it not be acceptable for the moment to drop back to using gcc 4.8.2, till the bug introduced by gcc > 4.8.2 has been fixed? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
In particular, the fix for https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64557 is the culprit ** Bug watch added: GCC Bugzilla #64557 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64557 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
This is the change that breaks it: https://github.com/gcc- mirror/gcc/commit/60909e42fa18ff70f878aebee2cb39bbe9998847 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Here's the disassembly from a good build with vanilla gcc 4.8.4. It's basically identical, but it contains 3 extra instructions that are missing from the broken build. 0xf57fe991 <+1729>: mov0xa0(%ebp),%edx 0xf57fe997 <+1735>: mov0x84(%esp),%esi // %esi now points to |pn| 0xf57fe99e <+1742>: add$0x18,%edx 0xf57fe9a1 <+1745>: cmpl $0xfe,0x28(%esp) // Compare |hops| with 254 (FREE_LEVEL - 1) 0xf57fe9a9 <+1753>: mov%al,0x2(%esi) // Calls pn->SetOp(op) 0xf57fe9ac <+1756>: mov0x34(%esp),%eax // %eax now contains |slot| 0xf57fe9b0 <+1760>: ja 0xf57fea10 // Jump if |hops| > 254 0xf57fe9b2 <+1762>: cmp$0xff,%eax // Compare |slot| with 0xff 0xf57fe9b7 <+1767>: ja 0xf57fe9f9 // Jump if |slot| > 0xff 0xf57fe9b9 <+1769>: mov0x84(%esp),%esi // %esi now points to |pn| 0xf57fe9c0 <+1776>: shl$0x8,%eax // Left shift new |slot| value by 8-bits // These next 3 instructions are missing in the broken build 0xf57fe9c3 <+1779>: mov$0x1,%edi 0xf57fe9c8 <+1784>: movzbl 0x28(%esp),%edx // %edx now contains |hops| 0xf57fe9cd <+1789>: mov%dl,0x20(%esi) // Save |hops| in to |level_| in pn->pn_u.name.cookie 0xf57fe9d0 <+1792>: mov%eax,%edx // %edx now contains |slot| 0xf57fe9d2 <+1794>: movzbl 0x20(%esi),%eax // Load |level_| from pn->pn_u.name.cookie in to %eax 0xf57fe9d6 <+1798>: or %edx,%eax // %eax now contains the bitwise-OR of |level_| and new |slot| value 0xf57fe9d8 <+1800>: mov%eax,0x20(%esi) // Save the new values to |level_| and |slot_| in pn->pn_u.name.cookie -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Building with a vanilla gcc 4.8.4 does work though. It turns out that the svn-updates.diff patch that is applied to our build of gcc introduces the bug - so it's a regression between 4.8.4 and 4.8.5 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Note, this bug isn't fixed but we have worked around it by building Firefox with -fno-tree-pre, which disables the optimization that breaks it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Building Firefox with the gcc-4.8 package in trusty-updates also produces the same broken build, so it's a regression between 4.8.2 and our build of gcc 4.8.4 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Thanks for all infos..! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Same problem on an up-to-date ubuntu trusty. Now I downgraded from firefox:amd64 39.0+build5-0ubuntu0.14.04.1 back to 38.0+build3-0ubuntu0.14.04.1 and everything works again -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
Hello, Chris. Today the ppa:ubuntu-mozilla-security/ppa has brought me firefox 39.0+build5-0ubuntu0.12.04.2. On Mint13 32-bit xfce, based on Ubuntu 12.04.5 32-bit, the reported problem seems to have been solved. Firefox 39.0 started up without crashing. Thanks a lot for all your time and efforts. Cheers, Karl -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
** Branch linked: lp:firefox ** Branch linked: lp:firefox/aurora ** Branch linked: lp:~mozillateam/firefox/firefox-beta.precise -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
The crash occurs because js::ScopeCoordinateName returns nullptr. The
only way it can do that is if |id| is zero at
http://hg.mozilla.org/releases/mozilla-
release/file/7665b8d4d51f/js/src/vm/ScopeObject.cpp#l96.
Unfortunately, it works fine in a debug build.
I added a "MOZ_RELEASE_ASSERT(!JSID_IS_ZERO(id))" after
http://hg.mozilla.org/releases/mozilla-
release/file/7665b8d4d51f/js/src/vm/ScopeObject.cpp#l89 so I could crash
Firefox when this happens and catch it in gdb.
At the point we hit this assert in gdb, |sc| has already been optimised
out. However, by examining the incoming bytecode:
(gdb) p *pc
$2 = 136 '\210'
(gdb) x pc+1
0xb68b2e2: 0x
... we see that this is a JSOP_GETALIASEDVAR instruction and the |slot|
argument is 0x00. After adding some printf's to
http://hg.mozilla.org/releases/mozilla-
release/file/7665b8d4d51f/js/src/vm/ScopeObject.cpp#l72, I verified that
no properties with slot=0 ever exist.
I added further asserts in
js::frontend::BytecodeEmitter::emitScopeCoordOp() and verified that this
instruction sequence was not being emitted here. After creating a small
helper function to scan the bytecode at various stages in
BytecodeEmitter, I managed to narrow the point at which this instruction
sequence is emitted to js::frontend::BytecodeEmitter::emitNameOp().
Here, at http://hg.mozilla.org/releases/mozilla-
release/file/7665b8d4d51f/js/src/frontend/BytecodeEmitter.cpp#l2272:
if (!pn->pn_cookie.isFree()) {
MOZ_ASSERT(JOF_OPTYPE(op) != JOF_ATOM);
if (!emitVarOp(pn, op))
return false;
} else {
if (!emitAtomOp(pn, op))
return false;
}
... despite |op| being equal to JSOP_GETALIASEDVAR, this code calls
emitAtomOp() because the "if (!pn->pn_cookie.isFree()) {" check evaluates
false. This is wrong - it should be calling emitVarOp().
Changing the MOZ_ASSERT at the top of
js::frontend::BytecodeEmitter::emitAtomOp() to a MOZ_RELEASE_ASSERT
verifies that we hit this. In gdb:
(gdb) f 1
#1 0xf58099bf in emitAtomOp (op=, pn=0x825bc60,
this=0xa408) at
/home/chr1s/src/firefox/build-area/firefox-39.0+build5/js/src/frontend/BytecodeEmitter.cpp:1071
1071return emitAtomOp(pn->pn_atom, op);
(gdb) p pn->pn_u.name.cookie
$2 = {level_ = 255, slot_ = 4, static FREE_LEVEL = 255}
So, the correct branch is taken. Which means that |pn| is invalid.
In fact, it goes wrong in
js::frontend::BytecodeEmitter::tryConvertFreeName(), just here at
http://hg.mozilla.org/releases/mozilla-
release/file/7665b8d4d51f/js/src/frontend/BytecodeEmitter.cpp#l1567:
JSOp op;
switch (pn->getOp()) {
case JSOP_GETNAME: op = JSOP_GETALIASEDVAR; break;
case JSOP_SETNAME: op = JSOP_SETALIASEDVAR; break;
default: return false;
}
pn->setOp(op);
JS_ALWAYS_TRUE(pn->pn_cookie.set(parser->tokenStream, hops,
slot));
return true;
If I add a "MOZ_RELEASE_ASSERT(!pn->pn_cookie.isFree());" just before
the "return true", then we hit this in our broken build. The line above
calls js::frontend::UpvarCookie::set(), which is inlined from
http://hg.mozilla.org/releases/mozilla-
release/file/7665b8d4d51f/js/src/frontend/ParseNode.h#l51:
bool set(TokenStream& ts, unsigned newLevel, uint32_t newSlot) {
if (newLevel >= FREE_LEVEL)
return ts.reportError(JSMSG_TOO_DEEP, js_function_str);
if (newSlot >= SCOPECOORD_SLOT_LIMIT)
return ts.reportError(JSMSG_TOO_MANY_LOCALS);
level_ = newLevel;
slot_ = newSlot;
return true;
}
... which seems simple enough. Note that |level_| and |slot_| both fit
in to 32-bits, with |slot_| taking the least-significant byte and
|level_| taking the other 3 bytes.
If I disassemble this bit of code in
js::frontend::BytecodeEmitter::tryConvertFreeName() in a *good" build,
starting at http://hg.mozilla.org/releases/mozilla-
release/file/7665b8d4d51f/js/src/frontend/BytecodeEmitter.cpp#l1572:
The starting context looks like this:
%eax = |op|
0x1c(%esp) = |hops|
0x24(%esp) = |slot|
0x74(%esp) = |pn|
0xf4eb978b <+1739>: mov0xa0(%ebp),%ecx
0xf4eb9791 <+1745>: mov0x74(%esp),%edi // %edi now points to |pn|
0xf4eb9795 <+1749>: add$0x18,%ecx
0xf4eb9798 <+1752>: cmpl $0xfe,0x1c(%esp) // Compare |hops| with 254
(FREE_LEVEL - 1)
0xf4eb97a0 <+1760>: mov%al,0x2(%edi) // Calls pn->SetOp(op)
0xf4eb97a3 <+1763>: mov0x24(%esp),%eax // %eax now contains |slot|
// Jump if |hops| > 254
0xf4eb97a7 <+1767>: ja 0xf4eb97e9
0xf4eb97a9 <+1769>: cmp$0xff,%eax // Compare |slot| with 0xff
// Jump if |slot| > 0xff
0xf4eb97ae <+1774>: ja 0xf4eb980b
0xf4eb97b0 <+1776>: movzbl 0x1c(%esp),%ecx // %ecx now contains |hops|
0xf4eb97b5 <+1781>: mov0x74(%esp),%edi // %edi now point
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
This broken build is also responsible for https://bugzilla.mozilla.org/show_bug.cgi?id=1172059 ** Bug watch added: Mozilla Bugzilla #1172059 https://bugzilla.mozilla.org/show_bug.cgi?id=1172059 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
I've tried this now with binutils 2.24 from Trusty (which produced a good build), and also the gold linker in Precise and I get the same issue. So it looks like this is specific to the compiler. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471949] Re: Firefox 39 crashes on startup or within a few seconds on Precise/x86
** Changed in: firefox (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471949 Title: Firefox 39 crashes on startup or within a few seconds on Precise/x86 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1471949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
