Closed
Bug 1161346
Opened 10 years ago
Closed 10 years ago
Crash [@ js::UnboxedArrayObject::create]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
3.30 KB,
text/plain
|
Details | |
|
1.95 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
function f() {
x = [];
x.push(false);
}
f();
f();
crashes js debug shell on m-c changeset 102d0e9aa9e1 with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays at js::UnboxedArrayObject::create.
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 102d0e9aa9e1
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150503013437" and the hash "599a8abf54a3".
The "bad" changeset has the timestamp "20150503081437" and the hash "020c6a559e3a".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=599a8abf54a3&tochange=020c6a559e3a
Brian, is bug 1146597 a likely regressor?
Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x15e468, 0x000000010033f126 js-dbg-64-dm-nsprBuild-darwin-102d0e9aa9e1`js::UnboxedArrayObject::create(js::ExclusiveContext*, JS::Handle<js::ObjectGroup*>, unsigned int, js::NewObjectKind) + 85 at UnboxedObject.cpp:1247, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010033f126 js-dbg-64-dm-nsprBuild-darwin-102d0e9aa9e1`js::UnboxedArrayObject::create(js::ExclusiveContext*, JS::Handle<js::ObjectGroup*>, unsigned int, js::NewObjectKind) + 85 at UnboxedObject.cpp:1247
frame #1: 0x000000010033f0d1 js-dbg-64-dm-nsprBuild-darwin-102d0e9aa9e1`js::UnboxedArrayObject::create(cx=<unavailable>, group=<unavailable>, length=<unavailable>, newKind=GenericObject) + 337 at UnboxedObject.cpp:1035
frame #2: 0x000000010020954a js-dbg-64-dm-nsprBuild-darwin-102d0e9aa9e1`js::NewArrayOperation(cx=0x0000000101ea5180, script=<unavailable>, pc=<unavailable>, length=0, newKind=TenuredObject) + 362 at Interpreter.cpp:4718
frame #3: 0x00000001004124f4 js-dbg-64-dm-nsprBuild-darwin-102d0e9aa9e1`js::jit::DoNewArray(cx=0x0000000101ea5180, frame=<unavailable>, stub=0x0000000101eb9988, length=0, res=<unavailable>) + 260 at BaselineIC.cpp:1681
frame #4: 0x0000000101f8b187
(lldb)
|
Assignee | |
Comment 2•10 years ago
|
||
Hmm, I guess I missed a possible capacity we can have with the possible combinations of architecture, object size and unboxed type element size. (If we hit this again I'll go and write a script to figure out the possible capacities programmatically.)
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8602279 -
Flags: review?(jdemooij)
|
||
Comment 3•10 years ago
|
||
Comment on attachment 8602279 [details] [diff] [review]
patch
Review of attachment 8602279 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/vm/UnboxedObject.cpp
@@ +1263,3 @@
> };
>
> static const uint32_t MebiCapacityIndex = 39;
Should we update this constant? There is a MOZ_ASSERT(CapacityArray[MebiCapacityIndex] == Mebi) though, does it hit on jit-tests? Maybe it should be a static assert?
Attachment #8602279 -
Flags: review?(jdemooij) → review+
|
||
Comment 5•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
You need to log in
before you can comment on or make changes to this bug.
Description
•