Closed Bug 1158407 Opened 9 years ago Closed 9 years ago

[jsdbg2] Crash under Debugger::appendAllocationSite

Categories

(DevTools :: Debugger, defect)

Product:
DevTools
Component:
Debugger
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox40 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 40
Tracking Flags:
Tracking Status
firefox40 --- fixed

People

(Reporter: fitzgen, Assigned: shu)

Details

Attachments

(1 file, 1 obsolete file)

Stop using this one weird allocation fallback for MCreateThisWithTemplate.
7.47 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
STR:

* Load amazon.com
* Open devtools profiler
* Enable "record memory" in profiler options menu
* start recording
* refresh
The VM function NewGCObject[0] called by Ion from createThisWithTemplate[1] calls the object metadata hook with a not-yet-fully-initialized JSObject in the nursery that doesn't have its group set yet.

[0] https://dxr.mozilla.org/mozilla-central/source/js/src/jit/VMFunctions.cpp#97
[1] https://dxr.mozilla.org/mozilla-central/source/js/src/jit/CodeGenerator.cpp#4806
Not sure how to fix this without duplicating all of masm.initGCThing inside NewGCObject, which is gross.
More cleanup.
Attachment #8597552 - Attachment is obsolete: true
Attachment #8597554 - Flags: review?(terrence)
Comment on attachment 8597554 [details] [diff] [review]
Stop using this one weird allocation fallback for MCreateThisWithTemplate.

Review of attachment 8597554 [details] [diff] [review]:
-----------------------------------------------------------------

\o/ It's absolutely *wonderful* to see that go!
Attachment #8597554 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/6adf6c6f9794
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox40: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 40
Assignee: nobody → shu
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: