Closed
Bug 1100083
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::Simulator::disable_single_stepping]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox36 | --- | affected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
4.97 KB,
text/plain
|
Details | |
906 bytes,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
disableSingleStepProfiling(); crashes js debug ARM-simulator shell on m-c changeset a52bf59965a0 with --fuzzing-safe --ion-eager --no-threads at js::jit::Simulator::disable_single_stepping. Debug configure options: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random jit-tests together with jsfunfuzz. The specific file, which was run with random flag combinations, is: http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/basic/bug908915.js autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a90a7709ab2d user: Luke Wagner date: Mon Jul 21 10:58:12 2014 -0500 summary: Bug 1027885 - OdinMonkey: maintain AsmJSActivation::fp in all frames in profiling mode (r=dougc) Luke, is bug 1027885 a possible regressor?
Flags: needinfo?(luke)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x3d1172, 0x00000000, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000000 frame #1: 0x0049b3a4 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::jit::Simulator::disable_single_stepping(this=0x0200a000) + 36 at Simulator-arm.cpp:4189 frame #2: 0x000162bd js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`DisableSingleStepProfiling(cx=0x01a0d7e0, argc=0, vp=0xbfffed3c) + 45 at js.cpp:4145 frame #3: 0x00713c68 js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::CallJSNative(cx=0x01a0d7e0, native=<unavailable>, args=0xbfffece4)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 184 at jscntxtinlines.h:231 frame #4: 0x006cdb1c js-dbg-opt-32-dm-nsprBuild-armSim-darwin-a52bf59965a0`js::Invoke(cx=0x01a0d7e0, args=<unavailable>, construct=<unavailable>) + 476 at Interpreter.cpp:475 (lldb)
Assignee | ||
Comment 2•10 years ago
|
||
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8523872 -
Flags: review?(kvijayan)
Updated•10 years ago
|
Attachment #8523872 -
Flags: review?(kvijayan) → review+
Assignee | ||
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb0bfabda47c
https://hg.mozilla.org/mozilla-central/rev/bb0bfabda47c
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•