TenFourFox 17

[GoogleCodeExporter]

Lion scrollbars use CoreUI; we need to blip out
https://bug636564.bugzilla.mozilla.org/attachment.cgi?id=574056

Original issue reported on code.google.com by classi...@floodgap.com on 12 Nov 2011 at 6:30

• Blocked on: #179

[GoogleCodeExporter]

Issue 116 has been merged into this issue.

Original comment by classi...@floodgap.com on 5 Dec 2011 at 4:55

[GoogleCodeExporter]

(116 is the hang monitor)

Original comment by classi...@floodgap.com on 5 Dec 2011 at 4:56

[GoogleCodeExporter]

Rolling to 12; these were not in Fx11 beta.

Original comment by classi...@floodgap.com on 5 Mar 2012 at 4:27

• Changed title: Omnibus Fx12 issues

[GoogleCodeExporter]

Original comment by classi...@floodgap.com on 14 Mar 2012 at 1:38

• Added labels: Milestone-Unstable

[GoogleCodeExporter]

Scrollbars aren't in 12 either.

Original comment by classi...@floodgap.com on 14 Mar 2012 at 1:39

• Changed title: Future omnibus Mozilla issues

[GoogleCodeExporter]

https://bugzilla.mozilla.org/show_bug.cgi?id=749500 (for Fx15)

To ChildView we'll also need our 10.4 glue code for the modifier flags ( 
https://bug731878.bugzilla.mozilla.org/attachment.cgi?id=610036 ).

Original comment by classi...@floodgap.com on 21 May 2012 at 4:09

[GoogleCodeExporter]

This is done. Now,

- 10.6 min system version
- nullptr -> nsnull (in a .h file or something) if not already done

Original comment by classi...@floodgap.com on 31 Jul 2012 at 12:14

[GoogleCodeExporter]

https://bugzilla.mozilla.org/show_bug.cgi?id=773518

This should be nop'ed out for 10.4; we don't have getiopolicy_np().

Original comment by classi...@floodgap.com on 31 Jul 2012 at 10:31

[GoogleCodeExporter]

Most of

https://bug719320.bugzilla.mozilla.org/attachment.cgi?id=650077

is safe but we need to make sure modifierFlags is rewritten to our Tiger 
equivalent.

Original comment by classi...@floodgap.com on 13 Aug 2012 at 3:24

[GoogleCodeExporter]

Working on 17.

Two JS failures:
Starting program: /Volumes/BruceDeuce/src/mozilla-17a/obj-ff-dbg/dist/bin/js -a 
-m -n tests/basic/bug657245.js
Reading symbols for shared libraries 
....................+++...............................................+ done
Assertion failure: ptr <= rangeEnd, at 
./../../dist/include/mozilla/RangedPtr.h:51

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00080584 in js::IndexToIdSlow (cx=<value temporarily unavailable, due to 
optimizations>, index=<value temporarily unavailable, due to optimizations>, 
idp=<value temporarily unavailable, due to optimizations>) at RangedPtr.h:70
70            MOZ_ASSERT(rangeStart <= rangeEnd);
(gdb) bt
#0  0x00080584 in js::IndexToIdSlow (cx=<value temporarily unavailable, due to 
optimizations>, index=<value temporarily unavailable, due to optimizations>, 
idp=<value temporarily unavailable, due to optimizations>) at RangedPtr.h:70
#1  0x0006aec4 in GetElement<unsigned int> (cx=0x1408dd0, obj={<> = {<No data 
fields>}, ptr = 0xbfffd248}, index=4294967294, hole=0xbfffd254, 
vp={<JS::MutableHandleBase<JS::Value>> = 
{<JS::MutableValueOperations<JS::MutableHandle<JS::Value> >> = 
{<JS::ValueOperations<JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No 
data fields>}, <No data fields>}, ptr = 0xbfffd308}) at jsatominlines.h:106
#2  0x0006e014 in js::array_pop (cx=0x1408dd0, argc=<value temporarily 
unavailable, due to optimizations>, vp=0x2008060) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/jsarray.cpp:2412
#3  0x0015c404 in js::CallJSNative (cx=0x1408dd0, native=0x6dec0 
<js::array_pop(JSContext*, unsigned int, JS::Value*)>, args=@0xbfffd5dc) at 
jscntxtinlines.h:372
#4  0x0015a410 in js::InvokeKernel (cx=0x1408dd0, args={<JS::CallReceiver> = 
{usedRval_ = false, argv_ = 0x2008070}, argc_ = 0}, construct=js::NO_CONSTRUCT) 
at /Volumes/BruceDeuce/src/mozilla-17a/js/src/jsinterp.cpp:352
#5  0x001454d0 in js::Interpret (cx=0x1408dd0, entryFrame=0x2008020, 
interpMode=js::JSINTERP_NORMAL) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/jsinterp.cpp:2413
#6  0x004017ec in js::mjit::EnterMethodJIT (cx=0x1408dd0, fp=0x2008020, 
code=<value temporarily unavailable, due to optimizations>, 
stackLimit=0x23e8000, partial=false) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/methodjit/MethodJIT.cpp:1044
#7  0x00401d94 in CheckStackAndEnterMethodJIT (cx=0x1408dd0, fp=0x2008020, 
code=0x10b8080, partial=false) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/methodjit/MethodJIT.cpp:1075
#8  0x00158ad0 in js::RunScript (cx=0x1408dd0, script=0x250d0b0, fp=<value 
temporarily unavailable, due to optimizations>) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/jsinterp.cpp:306
#9  0x00159988 in js::ExecuteKernel (cx=0x1408dd0, script={<> = {<No data 
fields>}, ptr = 0xbffff358}, scopeChain=<value temporarily unavailable, due to 
optimizations>, thisv=<value temporarily unavailable, due to optimizations>, 
type=<value temporarily unavailable, due to optimizations>, evalInFrame=<value 
temporarily unavailable, due to optimizations>, result=0x0) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/jsinterp.cpp:494
#10 0x00159d20 in js::Execute (cx=0x1408dd0, script={<> = {<No data fields>}, 
ptr = 0xbffff358}, scopeChainArg=<value temporarily unavailable, due to 
optimizations>, rval=0x0) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/jsinterp.cpp:532
#11 0x0003cb3c in JS_ExecuteScript (cx=0x1408dd0, objArg=0x2509040, 
scriptArg=0x250d0b0, rval=0x0) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/jsapi.cpp:5638
#12 0x00010d54 in Process (cx=0x1408dd0, obj_=0x2509040, filename=0xbffff878 
"tests/basic/bug657245.js", forceTTY=<value temporarily unavailable, due to 
optimizations>) at /Volumes/BruceDeuce/src/mozilla-17a/js/src/shell/js.cpp:435
#13 0x00011c08 in Shell (cx=0x1408dd0, op=0xbffff5ec, envp=<value temporarily 
unavailable, due to optimizations>) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/shell/js.cpp:4812
#14 0x000176e8 in main (argc=<value temporarily unavailable, due to 
optimizations>, argv=<value temporarily unavailable, due to optimizations>, 
envp=0xbffff788) at /Volumes/BruceDeuce/src/mozilla-17a/js/src/shell/js.cpp:5024

Starting program: /Volumes/BruceDeuce/src/mozilla-17a/obj-ff-dbg/dist/bin/js -a 
-m -n tests/basic/testInitSingletons.js
Reading symbols for shared libraries 
....................+++...............................................+ done
Assertion failure: ptr <= rangeEnd, at 
./../../dist/include/mozilla/RangedPtr.h:51

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00080584 in js::IndexToIdSlow (cx=<value temporarily unavailable, due to 
optimizations>, index=<value temporarily unavailable, due to optimizations>, 
idp=<value temporarily unavailable, due to optimizations>) at RangedPtr.h:70
70            MOZ_ASSERT(rangeStart <= rangeEnd);

Same assertion, so probably the same bug. -d makes no difference.

Original comment by classi...@floodgap.com on 16 Sep 2012 at 12:48

• Changed title: TenFourFox 17
• Added labels: Priority-Critical
• Removed labels: Priority-Medium

[GoogleCodeExporter]

These tests fail even in the interpreter, so the JIT is not to blame.

Original comment by classi...@floodgap.com on 16 Sep 2012 at 12:55

[GoogleCodeExporter]

The test case is a one-liner. This crashes (including the interpreter):
Array(4294967294).pop();

This crashes:
Array(2147483649).pop();

This doesn't:
Array(2147483648).pop();

So it looks like it goes bang when it gets over the signed 32-bit int limit.

Original comment by classi...@floodgap.com on 16 Sep 2012 at 1:44

[GoogleCodeExporter]

Starting program: /Volumes/BruceDeuce/src/mozilla-17a/obj-ff-dbg/dist/bin/js 
test.js
Reading symbols for shared libraries 
....................+++...............................................+ done

Program received signal SIGTRAP, Trace/breakpoint trap.
js::IndexToIdSlow (cx=0x1408d90, index=2147483648, idp=0xbfffd250) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/jsatom.cpp:411
411     __asm__("trap\n");
(gdb) info locals
buf = {49151, 53804, 49151, 53808, 49151, 53776, 593, 39904, 49151, 53744}
(gdb) disp/i $pc
1: x/i $pc  0x80598 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+200>:     trap
(gdb) set $pc+=4
(gdb) si
0x000805a0      137           MOZ_ASSERT(ptr - dec < ptr);
1: x/i $pc  0x805a0 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+208>:     addi    
r2,r30,74
(gdb) info locals
dec = Cannot access memory at address 0x0
(gdb) si
0x000805a4      137           MOZ_ASSERT(ptr - dec < ptr);
1: x/i $pc  0x805a4 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+212>:     cmplw   
cr7,r0,r2
(gdb) 
0x000805a8      137           MOZ_ASSERT(ptr - dec < ptr);
1: x/i $pc  0x805a8 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+216>:     bgt+    
cr7,0x805e0 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+272>
(gdb) 
50            MOZ_ASSERT(rangeStart <= ptr);
1: x/i $pc  0x805e0 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+272>:     cmplw   
cr7,r9,r2
(gdb) 
0x000805e4      50            MOZ_ASSERT(rangeStart <= ptr);
1: x/i $pc  0x805e4 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+276>:     ble+    
cr7,0x80620 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+336>
(gdb) 
0x00080620      196       fprintf(stderr, "Assertion failure: %s, at %s:%d\n", 
s, file, ln);
1: x/i $pc  0x80620 <_ZN2js13IndexToIdSlowEP9JSContextjP4jsid+336>:     addis   
r29,r31,89
(gdb) i reg r0
r0             0xbfffd1ec       3221213676
(gdb) i reg r2
r2             0xbfffd1ea       3221213674
(gdb) i reg r9
r9             0xbfffd1d8       3221213656

Original comment by classi...@floodgap.com on 16 Sep 2012 at 2:11

[GoogleCodeExporter]

It's a gcc 4.0.1 miscompilation (will be very glad to jettison gcc 4.0.1 for 
18). This fixes it, for future reference:

bool
IndexToIdSlow(JSContext *cx, uint32_t index, jsid *idp)
{
    JS_ASSERT(index > JSID_INT_MAX);

    jschar buf[UINT32_CHAR_BUFFER_LENGTH];
#if(0)
    RangedPtr<jschar> end(ArrayEnd(buf), buf, ArrayEnd(buf));
    RangedPtr<jschar> start = BackfillIndexInCharBuffer(index, end);

    JSAtom *atom = AtomizeChars(cx, start.get(), end - start);
#else
// gcc 4.0.1 miscompiles the above, so we spell it out for it.
    jschar *end = ArrayEnd(buf);
    jschar *start = end;

    /* BackfillIndexInCharBuffer */
    uint32_t my_index = index;
    do { 
        uint32_t next = my_index / 10, digit = my_index % 10;
        *--start = '0' + digit;
        my_index = next;
    } while (my_index > 0);

    JSAtom *atom = AtomizeChars(cx, start, end - start);
#endif

    if (!atom)
        return false;

    *idp = JSID_FROM_BITS((size_t)atom);
    return true;
}

Original comment by classi...@floodgap.com on 16 Sep 2012 at 3:06

[GoogleCodeExporter]

The browser builds and works fine in safe mode, but JIT crashes within chrome.

#0  js::StackFrame::compartment (this=0xffffff87) at vm/Stack-inl.h:42
#1  0x07b1bab0 in js::mjit::ExpandInlineFrames (compartment=0x1acc000) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/methodjit/Retcon.cpp:306
#2  0x07656bd0 in JS_FrameIterator (cx=0x21f95f70, iteratorp=0xefff86d8) at 
jscntxtinlines.h:634
#3  0x06840870 in XPCJSStack::CreateStack (cx=0x21f95f70, stack=0xefff8738) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCStack.cpp:53
#4  0x067e39ec in nsXPConnect::GetCurrentJSStack (this=<value temporarily 
unavailable, due to optimizations>, aCurrentJSStack=0xefff87bc) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/nsXPConnect.cpp:1812
#5  0x0682161c in nsXPCException::NewException (aMessage=0x21f92100 "Component 
returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) 
[nsIPrefBranch.getComplexValue]", aResult=2147549183, aLocation=0x0, aData=0x0, 
exceptn=0xefff8858) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCException.cpp:408
#6  0x068431d8 in XPCThrower::BuildAndThrowException (cx=0x21f95f70, 
rv=2147549183, sz=0x21f92100 "Component returned failure code: 0x8000ffff 
(NS_ERROR_UNEXPECTED) [nsIPrefBranch.getComplexValue]") at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCThrower.cpp:182
#7  0x06843810 in XPCThrower::ThrowBadResult (rv=2153185284, result=2147549183, 
ccx=@0xefff8c08) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCThrower.cpp:118
#8  0x06862170 in XPCWrappedNative::CallMethod (ccx=<value temporarily 
unavailable, due to optimizations>, mode=<value temporarily unavailable, due to 
optimizations>) at XPCInlines.h:637
#9  0x0686f280 in XPC_WN_CallMethod (cx=0x21f95f70, argc=2, vp=0x1242118) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1
478
(More stack frames follow...)
(gdb) bt 30
#0  js::StackFrame::compartment (this=0xffffff87) at vm/Stack-inl.h:42
#1  0x07b1bab0 in js::mjit::ExpandInlineFrames (compartment=0x1acc000) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/methodjit/Retcon.cpp:306
#2  0x07656bd0 in JS_FrameIterator (cx=0x21f95f70, iteratorp=0xefff86d8) at 
jscntxtinlines.h:634
#3  0x06840870 in XPCJSStack::CreateStack (cx=0x21f95f70, stack=0xefff8738) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCStack.cpp:53
#4  0x067e39ec in nsXPConnect::GetCurrentJSStack (this=<value temporarily 
unavailable, due to optimizations>, aCurrentJSStack=0xefff87bc) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/nsXPConnect.cpp:1812
#5  0x0682161c in nsXPCException::NewException (aMessage=0x21f92100 "Component 
returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) 
[nsIPrefBranch.getComplexValue]", aResult=2147549183, aLocation=0x0, aData=0x0, 
exceptn=0xefff8858) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCException.cpp:408
#6  0x068431d8 in XPCThrower::BuildAndThrowException (cx=0x21f95f70, 
rv=2147549183, sz=0x21f92100 "Component returned failure code: 0x8000ffff 
(NS_ERROR_UNEXPECTED) [nsIPrefBranch.getComplexValue]") at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCThrower.cpp:182
#7  0x06843810 in XPCThrower::ThrowBadResult (rv=2153185284, result=2147549183, 
ccx=@0xefff8c08) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCThrower.cpp:118
#8  0x06862170 in XPCWrappedNative::CallMethod (ccx=<value temporarily 
unavailable, due to optimizations>, mode=<value temporarily unavailable, due to 
optimizations>) at XPCInlines.h:637
#9  0x0686f280 in XPC_WN_CallMethod (cx=0x21f95f70, argc=2, vp=0x1242118) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1
478
#10 0x07add8f8 in js::mjit::CallCompiler::generateNativeStub (this=0xefff9b78) 
at jscntxtinlines.h:372
#11 0x07ac9edc in js::mjit::ic::NativeCall (f=@0xefff9ba0, ic=0x286a4794) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/methodjit/MonoIC.cpp:1021
#12 0x07b90b34 in _JaegerStubVeneer () at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/methodjit/TrampolinePPCOSX.s:274
#13 0x079edc84 in js::mjit::EnterMethodJIT (cx=0x21f95f70, fp=0x12420b8, 
code=0x1d397000, stackLimit=0x1d397000, partial=8192) at 
/Volumes/BruceDeuce/src/mozilla-17a/js/src/methodjit/MethodJIT.cpp:1017

Our old friend MonoIC makes me think this is another one where we need to pull 
down a dummy frame.

Original comment by classi...@floodgap.com on 18 Sep 2012 at 1:07

[GoogleCodeExporter]

I've had enough of these types of bugs. ABI compliance GO

Original comment by classi...@floodgap.com on 18 Sep 2012 at 2:17

• Now blocked on: #179

[GoogleCodeExporter]

The fixes for issue 179 resolve this problem. Now to deal with the separate 
quit crash Tobias reported in 
http://code.google.com/p/aurorafox/issues/detail?id=25

Original comment by classi...@floodgap.com on 18 Sep 2012 at 4:18

[GoogleCodeExporter]

We are operational in aurora.

Original comment by classi...@floodgap.com on 27 Sep 2012 at 2:07

• Changed state: Done