Closed Bug 457663 Opened 15 years ago Closed 14 years ago

js1_8_1/trace/trace-test.js CRASH (64 bit)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: dvander)

References

Details

(Keywords: 64bit, regression, testcase) 

http://hg.mozilla.org/mozilla-central/rev/58a1d81f3583 introduced a SIGSEGV in js1_8_1/trace/trace-test.js on linux 64 bit. I'm not sure what bug # to attribute to this. danderson?

Currently it fails with Assertion failed: "Should not move data from GPR to XMM" (see bug 457449). This assertion began with http://hg.mozilla.org/mozilla-central/rev/17c60e5a30c1 (bug 389034).
Flags: in-testsuite+
Flags: in-litmus-
That first revision is when the 64-bit JIT got turned on by default in the
shell.  The revision that broke looks like
http://hg.mozilla.org/tracemonkey/rev/c82703d1d8c1

I pushed a fix to tracemonkey as changeset
http://hg.mozilla.org/tracemonkey/rev/6ceb773fac22 -- I don't assert on my
trace-tests.js anymore.  Could you verify?
I don't assert bug I crash in debug shell only:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000467884 in ComputeThis (cx=0x27f7c60, lazy=0, argv=0x2807c20) at jsinterp.cpp:846
846             if (OBJ_GET_CLASS(cx, thisp) == &js_CallClass)
(gdb) bt
#0  0x0000000000467884 in ComputeThis (cx=0x27f7c60, lazy=0, argv=0x2807c20) at jsinterp.cpp:846
#1  0x00000000004679bf in js_ComputeThis (cx=0x27f7c60, lazy=0, argv=0x2807c20) at jsinterp.cpp:868
#2  0x00000000004694b1 in js_Invoke (cx=0x27f7c60, argc=2, vp=0x2807c10, flags=0) at jsinterp.cpp:1168
#3  0x00000000005876a4 in js_Interpret (cx=0x27f7c60) at jsinterp.cpp:5001
#4  0x0000000000468b4d in js_Execute (cx=0x27f7c60, chain=0x27fb000, script=0x283cdb0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1550
#5  0x0000000000410247 in JS_ExecuteScript (cx=0x27f7c60, obj=0x27fb000, script=0x283cdb0, rval=0x0) at jsapi.cpp:4969
#6  0x000000000040b681 in Process (cx=0x27f7c60, obj=0x27fb000, filename=0x7fff3c00aa49 "trace-test.js", forceTTY=0) at js.cpp:277
#7  0x000000000040be7a in ProcessArgs (cx=0x27f7c60, obj=0x27fb000, argv=0x7fff3c008910, argc=10) at js.cpp:517
#8  0x000000000040c1f5 in main (argc=10, argv=0x7fff3c008910, envp=0x7fff3c008968) at js.cpp:3989
Demotion of quad(0) to dword(0) is causing only half of a NULL pointer to be written to the stack.  Need to discuss possible solutions with Andreas but it should be fixable.
Assignee: general → danderson
Status: NEW → ASSIGNED
Keywords: 64bit
Hardware: All → x86_64
This is pretty old and the backend has changed completely since, so WFM.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.