Closed Bug 450139 Opened 11 years ago Closed 11 years ago

TM: LOAD_INTERRUPT_HANDLER must respect recording (crash in 3d-cube and 3d-raytrace)

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: sayrer, Assigned: brendan)

References

Details

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0008f30b in isPromoteInt ()
(gdb) bt
#0  0x0008f30b in isPromoteInt ()
#1  0x00091bde in TraceRecorder::set ()
#2  0x00092b4d in TraceRecorder::stack ()
#3  0x00093a06 in TraceRecorder::record_LeaveFrame ()
#4  0x0003a37e in js_Interpret ()
#5  0x0004025f in js_Execute ()
#6  0x0000884a in JS_ExecuteScript ()
#7  0x00002210 in Process ()
#8  0x00005aab in main ()
Blocks: landtm
Recent regression. Bisecting.
Patch is fine. It makes additional code tracable, which triggers the interrupt-table bug (which is being worked on).
That patch made us trace more, which got us into trouble with LOAD_INTERRUPT_HANDLER (where it doesn't check whether we were recording before the native or debugger hook call-out, so it clobbers jumpTable with something other than recordingJumpTable) which Andreas reported by email. I'm making this bug track that problem.

/be
Status: NEW → ASSIGNED
Priority: -- → P1
Summary: TM: crash in 3d-cube and 3d-raytrace → TM: LOAD_INTERRUPT_HANLDER must respect recording (crash in 3d-cube and 3d-raytrace)
Target Milestone: --- → mozilla1.9.1a2
Priority: P1 → --
Target Milestone: mozilla1.9.1a2 → ---
Fixed? Seems so, but this exposes other latent bugs.

http://hg.mozilla.org/tracemonkey/index.cgi/rev/167ade86d28e

/be
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Not fixed... more soon.

/be
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: TM: LOAD_INTERRUPT_HANLDER must respect recording (crash in 3d-cube and 3d-raytrace) → TM: LOAD_INTERRUPT_HANDLER must respect recording (crash in 3d-cube and 3d-raytrace)
Urgh, don't pass calls to macros that expand their args twice.

/be
Status: REOPENED → ASSIGNED
DEBUG build only bug, fix is:

http://hg.mozilla.org/tracemonkey/index.cgi/rev/fe7b3611e9c4

Any non-DEBUG probs this reveals are separate bugs.

/be
Status: ASSIGNED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Duplicate of this bug: 450161
You need to log in before you can comment on or make changes to this bug.