Closed Bug 1210957 Opened 9 years ago Closed 6 years ago

ARM64: Segfault in function called from JSONParserBase::finishObject(). No JIT enabled.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM64
Unspecified
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jolesen, Unassigned)

References

Details

Build SpiderMonkey with --enable-simulator=arm64.
This reproduces on OS X and Linux, release or debug build.

$ dist/bin/js --no-baseline ../js/src/jit-test/tests/sunspider/check-string-tagcloud.js
Segmentation fault: 11

(lldb)
Process 76323 stopped
* thread #1: tid = 0x1863d8, 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4900570)
    frame #0: 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156
   153 	     * might have a lazy group, use getGroup() below, otherwise group().
   154 	     */
   155 	    bool hasLazyGroup() const {
-> 156 	        return group_->lazy();
   157 	    }
   158 	
   159 	    JSCompartment* compartment() const { return group_->compartment(); }
(lldb) bt
* thread #1: tid = 0x1863d8, 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4900570)
  * frame #0: 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156
    frame #1: 0x00000001003c864d js`JSObject::group(this=0x0000000004900570) const + 29 at jsobj.h:135
    frame #2: 0x00000001003a8b86 js`SameGroup(first=0x0000000105c671c0, second=0x0000000004900570) + 38 at ObjectGroup.cpp:963
    frame #3: 0x00000001003a8fdd js`js::CombinePlainObjectPropertyTypes(cx=0x0000000104845800, newObj=0x0000000004900570, compare=0x00000001048a3800, ncompare=21) + 93 at ObjectGroup.cpp:1022
(lldb) up 4
frame #4: 0x00000001003cac9c js`js::JSONParserBase::finishObject(this=0x00007fff5fbfb3d0, vp=JS::MutableHandleValue @ 0x00007fff5fbfaec0, properties=0x00000001048bad10) + 460 at JSONParser.cpp:596
   593 	
   594 	    if (!stack.empty() && stack.back().state == FinishArrayElement) {
   595 	        const ElementVector& elements = stack.back().elements();
-> 596 	        if (!CombinePlainObjectPropertyTypes(cx, obj, elements.begin(), elements.length()))
   597 	            return false;
   598 	    }
   599 	
(lldb) p obj
(JSObject *) $0 = 0x0000000004900570
(lldb) p *obj
error: Couldn't apply expression side effects : Couldn't dematerialize a result variable: couldn't read its memory
This does not currently reproduce, but Sunspider is now running as part of SM(arm64) in Treeherder, so we will know if it shows up again.
Status: NEW → RESOLVED
Closed: 6 years ago
Hardware: Unspecified → ARM64
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.