Closed Bug 450369 Opened 16 years ago Closed 16 years ago

TM: json2.js crashes in nanojit

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1a2

People

(Reporter: brendan, Assigned: dvander)

References

Details

(Keywords: testcase)

Attachments

(2 files)

gdb debug spew and backtrace
9.87 KB, text/plain
Details
json2.js with self-test loop at bottom
9.59 KB, text/plain
Details 
David, we need your nj expertise. See attachment for skidmarks. Self-testing json2.js in second attachment.

/be
Blocks: landtm
After a few fixes this looks closer to working -- here's the current backtrace.  Looks like the stack adjust might be wrong, and that it's bailing out inside an inlined function (stringify).

side exits 43
live instruction count 223, total 284, max pressure 11
entering trace at json2.js:276@115, native stack slots: 21
global: object<0x236260:Object> 
stack: this0=object<0x236000:global> vars0=object<0x2362a0:Array> vars1=object<0x236400:Array> vars2=int<2> vars3=object<0x236300:Array> vars4=string<0x238a58> 
leaving trace at json2.js:154@197, exitType=3, sp=0xbfffae60, ip=0x1003b0f, cycles=89034
object<0x236260:Object> object<0x236260:Object> 
object<0x236000:global> object<0x2362a0:Array> object<0x236400:Array> object<0x236340:Array> string<0x238a58> object<0x2361e0:Function> object<0x236260:Object> object<0x236360:Object> object<0x236520:Array> object<0x2360e0:RegExp> object<0x236360:Object> this0=object<0x236000:global> vars0=object<0x2362a0:Array> vars1=object<0x236400:Array> vars2=int<2> vars3=object<0x236340:Array> vars4=string<0x238a58> stack0=object<0x2361e0:Function> stack1=object<0x236260:Object> stack2=object<0x236360:Object> stack3=boolean<2> missing0=object<0x236520:Array> vars0=boolean<2> vars1=boolean<2> vars2=boolean<2> vars3=object<0x2360e0:RegExp> vars4=boolean<2> vars5=object<0x236360:Object> 
Assertion failure: regs.sp > StackBase(fp), at jsinterp.cpp:3122

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x16a733 "regs.sp > StackBase(fp)", file=0x16c3b5 "jsinterp.cpp", ln=3122) at jsutil.cpp:63
63	    abort();
(gdb) frame 1
#1  0x00060a68 in js_Interpret (cx=0x300ca0) at jsinterp.cpp:3122
3122	            JS_ASSERT(regs.sp > StackBase(fp));
(gdb) print fp
$4 = (JSStackFrame *) 0x806ac4
(gdb) print fp->slots + fp->script->nfixed
$5 = (jsval *) 0x806b48
(gdb) print regs.sp
$6 = (jsval *) 0x806b48



I think this is fixed. Brendan?
Yes:

http://hg.mozilla.org/tracemonkey/index.cgi/rev/5f757786525e
http://hg.mozilla.org/tracemonkey/index.cgi/rev/1e456b6bceae

/be
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Keywords: testcase
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-450369.js,v  <--  regress-450369.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: