Closed Bug 580967 Opened 14 years ago Closed 14 years ago

TM: Crash [@ js::DefaultValue]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr])

Crash Data

(function(){
  (eval("\
    (function(){\
      if(XML('aa'.replace(/a/g,function(){for(l in[0,0,0]){\
        print(this)\
      }}))){('')}\
    })\
  "))()
})()

crashes js debug and opt shell on TM tip with -j at js::DefaultValue.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   40832:3de0a7da3a8e
user:        Andreas Gal
date:        Sun Apr 11 20:55:22 2010 -0700
summary:     Remove lingering defaultValue calls with hint JSTYPE_OBJECT or JSTYPE_FUNCTION (554550, r=brendan).

(gdb) bt
#0  0x00000000 in ?? ()
#1  0x080f5c1b in js::DefaultValue (cx=0x82bd680, obj=0xf7501578, hint=JSTYPE_STRING, vp=0xffffb430) at ../jsobj.cpp:5376
#2  0x08164b37 in js_ValueToString (cx=0x82bd680, arg=...) at ../jsstr.cpp:3443
#3  0x0805b23d in JS_ValueToString (cx=0x82bd680, v=...) at ../jsapi.cpp:427
#4  0x0804d345 in Print (cx=0x82bd680, argc=1, vp=0xffffb4d0) at ../../shell/js.cpp:1046
#5  0xf76aaf09 in ?? ()
#6  0x081b0841 in ExecuteTrace (cx=0x82bd680, f=0x82bcaa4, state=...) at ../jstracer.cpp:6600
#7  0x081b0d7d in ExecuteTree (cx=0x82bd680, f=0x82bcaa4, inlineCallCount=@0xffffc170, innermostNestedGuardp=0xffffb638, lrp=0xffffb63c)
    at ../jstracer.cpp:6701
#8  0x081b20f4 in js::MonitorLoopEdge (cx=0x82bd680, inlineCallCount=@0xffffc170, reason=js::Record_Branch) at ../jstracer.cpp:7206
#9  0x08213ccc in js::Interpret (cx=0x82bd680) at ../jsinterp.cpp:2897
#10 0x080d7d6b in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x82bd680, fun=0xf7504d70, script=0x82c3ac8, native=0, 
    args=..., flags=0) at ../jsinterp.cpp:585
#11 0x080d5608 in js::Invoke (cx=0x82bd680, args=..., flags=0) at ../jsinterp.cpp:676
#12 0x08161f7f in FindReplaceLength (cx=0x82bd680, rdata=..., sizep=0xffffc3f8) at ../jsstr.cpp:2041
#13 0x081622ef in ReplaceCallback (cx=0x82bd680, count=1, p=0xffffc4a4) at ../jsstr.cpp:2119
#14 0x081611f8 in DoMatch (cx=0x82bd680, vp=0xf77af1c0, str=0xf7500fb0, g=..., callback=0x816222e <ReplaceCallback>, data=0xffffc4a4, flags=REPLACE_ARGS)
    at ../jsstr.cpp:1755
#15 0x081628ab in str_replace (cx=0x82bd680, argc=2, vp=0xf77af1c0) at ../jsstr.cpp:2200
#16 0x08223ba0 in js::Interpret (cx=0x82bd680) at ../jsinterp.cpp:4741
#17 0x080d5e52 in js::Execute (cx=0x82bd680, chain=0xf7501000, script=0x82c3cb0, down=0x0, flags=0, result=0xffffd1d0) at ../jsinterp.cpp:880
#18 0x0806f82c in JS_ExecuteScript (cx=0x82bd680, obj=0xf7501000, script=0x82c3cb0, rval=0xffffd1d0) at ../jsapi.cpp:4707
#19 0x0804c0db in Process (cx=0x82bd680, obj=0xf7501000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:532
#20 0x0804cc45 in ProcessArgs (cx=0x82bd680, obj=0xf7501000, argv=0xffffd3d8, argc=1) at ../../shell/js.cpp:853
#21 0x080552ad in shell (cx=0x82bd680, argc=1, argv=0xffffd3d8, envp=0xffffd3e0) at ../../shell/js.cpp:4951
#22 0x080553c9 in main (argc=1, argv=0xffffd3d8, envp=0xffffd3e0) at ../../shell/js.cpp:5038
(gdb) x/i $eip
=> 0x0:	Cannot access memory at address 0x0
OS: Linux → All
Hardware: x86 → All
blocking2.0: ? → betaN+
Cannot reproduce on TM tip (19f70f8c2b88) -j in debug shell.  I also tried varying the number of elements in the array 7, 8, and 9 to account for HOTLOOP being bumped to 8.
I think you also need to vary the number of characters in the string.
We don't trace replace(lambda), so the number of lambda invocations shouldn't need to change with HOTLOOP.  I still tried though, no crash.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   52303:d1d52f7820f2
user:        Andrew Drake
date:        Wed Jul 21 03:04:39 2010 -0700
summary:     [JAEGER] Implement trap part of debug API. r=dvander, b=570650
Resolution: WORKSFORME → FIXED
Crash Signature: [@ js::DefaultValue]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.