Closed
Bug 1205870
Opened 9 years ago
Closed 9 years ago
Crash [@ js::UnboxedArrayObject::create]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(2 files)
|
4.02 KB,
text/plain
|
Details | |
|
3.51 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
function f(x) {
f(x.slice(1));
}
f([
false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false, false, false, false, false, false,
false, false, false, false, false
]);
crashes js debug shell on m-c changeset de0e763b5210 with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays at js::UnboxedArrayObject::create.
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r de0e763b5210
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3a994e364343
user: Brian Hackett
date: Sat Jun 13 07:54:06 2015 -0700
summary: Bug 1172943 - Use unboxed arrays for JSON and script literal arrays, r=jandem.
Brian, is bug 1172943 a likely regressor?Flags: needinfo?(bhackett1024)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x70c372, 0x00000001003a85ea js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::UnboxedArrayObject::create(js::ExclusiveContext*, JS::Handle<js::ObjectGroup*>, unsigned int, js::NewObjectKind, unsigned int) [inlined] js::UnboxedArrayObject::exactCapacityIndex(capacity=<unavailable>) + 113 at UnboxedObject.cpp:1337, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001003a85ea js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::UnboxedArrayObject::create(js::ExclusiveContext*, JS::Handle<js::ObjectGroup*>, unsigned int, js::NewObjectKind, unsigned int) [inlined] js::UnboxedArrayObject::exactCapacityIndex(capacity=<unavailable>) + 113 at UnboxedObject.cpp:1337
frame #1: 0x00000001003a8579 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::UnboxedArrayObject::create(cx=0x000000010284c400, group=<unavailable>, length=<unavailable>, newKind=GenericObject, maxLength=<unavailable>) + 425 at UnboxedObject.cpp:1089
frame #2: 0x0000000100083403 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`JSObject* NewArrayTryUseGroup<4294967295u>(cx=0x000000010284c400, group=<unavailable>, length=<unavailable>, newKind=TenuredObject, forceAnalyze=<unavailable>) + 819 at jsarray.cpp:3464
frame #3: 0x000000010007e5c3 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::NewFullyAllocatedArrayTryReuseGroup(JSContext*, JSObject*, unsigned long, js::NewObjectKind, bool) [inlined] JSObject* NewArrayTryReuseGroup<4294967295u>(obj=<unavailable>) + 166 at jsarray.cpp:3519
frame #4: 0x000000010007e51d js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::NewFullyAllocatedArrayTryReuseGroup(cx=0x000000010284c400, obj=<unavailable>, length=73, newKind=GenericObject, forceAnalyze=false) + 29 at jsarray.cpp:3526
(lldb)
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 2•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
Assignee | |
Comment 3•9 years ago
|
||
Another inline capacity which the UnboxedArrayObject CapacityArray doesn't account for. I think I said this after the last bug like this but I finally went and wrote a script to find all the inline capacities, which is included with this patch. This patch also has a test to make sure we can create unboxed arrays of any possible inline capacity.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8663320 -
Flags: review?(jdemooij)
|
||
Updated•9 years ago
|
Attachment #8663320 -
Flags: review?(jdemooij) → review+
|
|
||
Comment 5•9 years ago
|
||
Brian, is it possible that one of your patches from this push http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6c84c452a23d&tochange=e40aeb2ee512 broke unboxed objects and regressed Octane-RegExp (both things happened only on Mac 32-bit on AWFY)?
Flags: needinfo?(bhackett1024)
https://hg.mozilla.org/mozilla-central/rev/03ac65b27fad
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
|
Assignee | |
Comment 7•9 years ago
|
||
(In reply to Guilherme Lima from comment #5) > Brian, is it possible that one of your patches from this push > http://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=6c84c452a23d&tochange=e40aeb2ee512 broke unboxed > objects and regressed Octane-RegExp (both things happened only on Mac 32-bit > on AWFY)? I think bug 1207821 will fix the broken unboxed objects line. I don't see a regression on octane-regexp, looking at the current state of AWFY.
Flags: needinfo?(bhackett1024)
You need to log in
before you can comment on or make changes to this bug.
Description
•