Closed Bug 1210957 Opened 9 years ago Closed 6 years ago

ARM64: Segfault in function called from JSONParserBase::finishObject(). No JIT enabled.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM64
Unspecified
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jolesen, Unassigned)

References

Details

Build SpiderMonkey with --enable-simulator=arm64. This reproduces on OS X and Linux, release or debug build. $ dist/bin/js --no-baseline ../js/src/jit-test/tests/sunspider/check-string-tagcloud.js Segmentation fault: 11 (lldb) Process 76323 stopped * thread #1: tid = 0x1863d8, 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4900570) frame #0: 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156 153 * might have a lazy group, use getGroup() below, otherwise group(). 154 */ 155 bool hasLazyGroup() const { -> 156 return group_->lazy(); 157 } 158 159 JSCompartment* compartment() const { return group_->compartment(); } (lldb) bt * thread #1: tid = 0x1863d8, 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4900570) * frame #0: 0x00000001003dbe45 js`JSObject::hasLazyGroup(this=0x0000000004900570) const + 21 at jsobj.h:156 frame #1: 0x00000001003c864d js`JSObject::group(this=0x0000000004900570) const + 29 at jsobj.h:135 frame #2: 0x00000001003a8b86 js`SameGroup(first=0x0000000105c671c0, second=0x0000000004900570) + 38 at ObjectGroup.cpp:963 frame #3: 0x00000001003a8fdd js`js::CombinePlainObjectPropertyTypes(cx=0x0000000104845800, newObj=0x0000000004900570, compare=0x00000001048a3800, ncompare=21) + 93 at ObjectGroup.cpp:1022 (lldb) up 4 frame #4: 0x00000001003cac9c js`js::JSONParserBase::finishObject(this=0x00007fff5fbfb3d0, vp=JS::MutableHandleValue @ 0x00007fff5fbfaec0, properties=0x00000001048bad10) + 460 at JSONParser.cpp:596 593 594 if (!stack.empty() && stack.back().state == FinishArrayElement) { 595 const ElementVector& elements = stack.back().elements(); -> 596 if (!CombinePlainObjectPropertyTypes(cx, obj, elements.begin(), elements.length())) 597 return false; 598 } 599 (lldb) p obj (JSObject *) $0 = 0x0000000004900570 (lldb) p *obj error: Couldn't apply expression side effects : Couldn't dematerialize a result variable: couldn't read its memory
This does not currently reproduce, but Sunspider is now running as part of SM(arm64) in Treeherder, so we will know if it shows up again.
Status: NEW → RESOLVED
Closed: 6 years ago
Hardware: Unspecified → ARM64
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.