Closed Bug 1191990 Opened 10 years ago Closed 10 years ago

crash in js::jit::JitcodeGlobalEntry::sweep(JSRuntime*)

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1194430
Tracking Flags:
Tracking Status
firefox42 --- affected

People

(Reporter: djc, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-6b7c0b1a-0cf9-42ae-8589-0b7872150806. ============================================================= Filed by request of shu in #jsapi, even though I don't have steps to reproduce.
Hardware: Unspecified → x86_64
I wonder if this is due to a scenario like: 1. IonEntry I's jitcode is about to finalized and is removed from the map inside JitcodeGlobalTable::sweep 2. IonCacheEntry C that rejoins into I's jitcode is *not* about to be finalized, and attempts to sweep its rejoin entry, which has already been removed. I'm not sure what would hold C's jitcode alive longer than the mainline jitcode though. Perhaps IonCacheEntry's sweep logic should just nop if it can't find a rejoin entry. Kannan, what do you think?
Flags: needinfo?(kvijayan)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.