Closed Bug 456931 Opened 16 years ago Closed 16 years ago

TM: GVAR op record methods use wrong object

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1b1

People

(Reporter: brendan, Assigned: brendan)

Details

Attachments

(1 file)

fixes so far
4.05 KB, patch
gal
: review+
Details | Diff | Splinter Review
Attached patch fixes so farSplinter Review 
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xfffffffc
0x230d5fa6 in TraceRecorder::record_JSOP_GETGVAR (this=0x25699580) at jstracer.cpp:6136
6136        stack(0, get(&STOBJ_GET_SLOT(cx->fp->scopeChain, slot)));
(gdb) p cx.fp.scopeChain
$1 = (JSObject *) 0x20451ec0
(gdb) p slot
$2 = 381
(gdb) p cx.fp
$3 = (JSStackFrame *) 0xbfffdd1c
(gdb) p cx.fp.scopeChain.dslots
$4 = (jsval *) 0x0
(gdb) p tm.globalShape
Cannot access memory at address 0x189
(gdb) p tm
$5 = (JSTraceMonitor *) 0x17d
(gdb) p this.globalObj
$6 = (JSObject *) 0x21242e40
(gdb) p this.globalObj == cx.fp.scopeChain
$7 = false
(gdb) p cx.fp.slots
$8 = (jsval *) 0x2a8d9e18
(gdb) p cx.fp.script.nfixed
$9 = 36
(gdb) l
6131        uint32 slot = JSVAL_TO_INT(slotval);
6132
6133        if (!lazilyImportGlobalSlot(slot))
6134             ABORT_TRACE("lazy import of global slot failed");
6135
6136        stack(0, get(&STOBJ_GET_SLOT(cx->fp->scopeChain, slot)));
6137        return true;
6138    }
6139
6140    bool
(gdb) p *(JSClass*)(cx.fp.scopeChain.classword&~3)
$10 = {
  name = 0x231064e4 "Block", 
  flags = 503447809, 
  addProperty = 0x230032c0 <JS_PropertyStub>, 
  delProperty = 0x230032c0 <JS_PropertyStub>, 
  getProperty = 0x230766b2 <block_getProperty(JSContext*, JSObject*, long, long*)>, 
  setProperty = 0x230767e0 <block_setProperty(JSContext*, JSObject*, long, long*)>, 
  enumerate = 0x230032ca <JS_EnumerateStub>, 
  resolve = 0x230032d4 <JS_ResolveStub>, 
  convert = 0x230032de <JS_ConvertStub>, 
  finalize = 0x230032e8 <JS_FinalizeStub>, 
  getObjectOps = 0, 
  checkAccess = 0, 
  call = 0, 
  construct = 0, 
  xdrObject = 0x2307e0fe <block_xdrObject(JSXDRState*, JSObject**)>, 
  hasInstance = 0, 
  mark = 0, 
  reserveSlots = 0x230768ec <block_reserveSlots(JSContext*, JSObject*)>
}
(gdb) p globalObj.dslots
$11 = (jsval *) 0x2a93b804
(gdb) p globalObj.dslots[-1]
$12 = 516
(gdb) q

/be
Attachment #340290 - Flags: review?(gal)
Priority: -- → P1
Attachment #340290 - Flags: review?(gal) → review+
The assert should maybe go into its own bug.
Assert fix went into bug 456932, which Andreas kindly filed.

Fixed wrong-object bug on tm:

http://hg.mozilla.org/tracemonkey/rev/0b96e0ae55d9

/be
Fixed on m-c:

http://hg.mozilla.org/mozilla-central/rev/0b96e0ae55d9

/be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite-
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: