Closed Bug 1120934 Opened 11 years ago Closed 11 years ago

js24: JIT trampoline is garbage collected on context destruction but never re-generated, leading to an invalid jump

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
24 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 905926

People

(Reporter: smspillaz, Unassigned)

Details

Attachments

(2 files)

js24.cpp
3.74 KB, text/x-c++src
Details
jstrunk.cpp
2.89 KB, text/x-c++src
Details
Attached file js24.cpp
User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/33.0.1750.152 Chrome/33.0.1750.152 Safari/537.36 Steps to reproduce: Testcase for js24 and jstrunk attached. The crash only occurs on js24 (so far as I've tested) but I didn't see an associated bug for it, so the testcase may be of some interest. Actual results: Crashes in EnterBaseline
Attached file jstrunk.cpp
Above attachment is for trunk mozjs. The crash does not occur on trunk, but the testcase may be of some interest.
Component: General → JavaScript Engine
In version 24 we had the following code in js/src/gc/RootMarking.cpp: if (rt->hasContexts()) jit::IonRuntime::Mark(trc); So if you have no contexts we don't trace the IonRuntime. bholley fixed this in bug 905926 when he removed hasContexts(), we now use rt->isBeingDestroyed(). The fix should be in 27 (so the SM31 release should include it).
See also bug 890243, the workaround mentioned there (create a dummy JSContext) should work until you upgrade. Please let us know if you run into other problems.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: