Closed Bug 709909 Opened 13 years ago Closed 13 years ago

[IncrementalGC] Crash [@ JSObject::finalize]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: billm)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

stack
6.27 KB, text/plain
Details
Attached file stack 
function tryItOut(code) {
    f = eval("(function(){" + code + "})");
    f()
}
function z(x, n) {
    for (;;) {
        x = {
            a: x
        };
    }
}
tryItOut("\
    for (l in [0]) {\
        z()\
    }\
");


crashes js opt shell on larch changeset 341396ef32a8 with -m and -a at JSObject::finalize

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   81489:ca2d2123be37
user:        Bill McCloskey
date:        Thu Dec 08 17:38:53 2011 -0800
summary:     [INCREMENTAL] Fix bug 708741
https://hg.mozilla.org/projects/larch/rev/43f95de7b6b8

This crashed for me, but with a different stack trace. However, it was a memory corruption bug, so I guess it's not surprising. I'm going to optimistically mark this as fixed. Gary, if you have time, you could backport this patch over the crashing revision and see if the crash goes away. However, I don't think that's strictly necessary.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Most of the testcases crashing at this signature did not crash anymore with latest larch tip, so yes, I think this has been fixed.
Crash Signature: [@ JSObject::finalize]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: