465192 - Crash [@TraceRecorder::wasDeepAborted] - js1_7/extensions/regress-455982-01.js | js1_8/extensions/regress-452476.js

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Bob Clary [:bc] (inactive)]

+++ This bug was initially created as a clone of Bug #463829 +++

(In reply to comment #17)
> Pushed fix as changeset: http://hg.mozilla.org/tracemonkey/rev/415a091bf8d9

This caused js1_7/extensions/regress-455982-01.js to change from an assertion
(bug 462142) to a CRASH and caused js1_8/extensions/regress-452476.js to crash with this stack

js1_7/extensions/regress-455982-01.js's stack

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000060
0x0009cd85 in TraceRecorder::wasDeepAborted (this=0x0) at jstracer.h:457
457        bool wasDeepAborted() { return deepAborted; }
(gdb) bt
#0  0x0009cd85 in TraceRecorder::wasDeepAborted (this=0x0) at jstracer.h:457
#1  0x00060e4d in js_Interpret (cx=0x30b210) at ../jsinterp.cpp:2582
#2  0x000a07c6 in js_Invoke (cx=0x30b210, argc=0, vp=0x818460, flags=0) at
jsinterp.cpp:1326
#3  0x000a0a7c in js_InternalInvoke (cx=0x30b210, obj=0x248000, fval=2621496,
flags=0, argc=0, argv=0x0, rval=0xbfff98cc) at jsinterp.cpp:1383
#4  0x000a0cdd in js_InternalGetOrSet (cx=0x30b210, obj=0x248000, id=2402212,
fval=2621496, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfff98cc) at
jsinterp.cpp:1444
#5  0x000b2df5 in js_NativeGet (cx=0x30b210, obj=0x248000, pobj=0x248000,
sprop=0x81ab50, vp=0xbfff98cc) at ../jsobj.cpp:3663
#6  0x000b3bb7 in js_GetPropertyHelper (cx=0x30b210, obj=0x248000, id=2402212,
vp=0xbfff98cc, entryp=0x0) at ../jsobj.cpp:3812
#7  0x000b3c4a in js_GetProperty (cx=0x30b210, obj=0x248000, id=2402212,
vp=0xbfff98cc) at ../jsobj.cpp:3824
#8  0x000a2b09 in CallEnumeratorNext (cx=0x30b210, iterobj=0x248680, flags=3,
rval=0xbfff98cc) at ../jsiter.cpp:566
#9  0x000a2c19 in js_CallIteratorNext (cx=0x30b210, iterobj=0x248680,
rval=0xbfff98cc) at ../jsiter.cpp:600
#10 0x0018512d in js_FastCallIteratorNext (cx=0x30b210, iterobj=0x248680) at
../jsbuiltins.cpp:249
#11 0x0028f469 in ?? ()
#12 0x0012fd23 in js_ExecuteTree (cx=0x30b210, f=0x31bc10,
inlineCallCount=@0xbfffd6a8, innermostNestedGuardp=0xbfffc6c0) at
../jstracer.cpp:3432
#13 0x00146305 in js_MonitorLoopEdge (cx=0x30b210, inlineCallCount=@0xbfffd6a8)
at ../jstracer.cpp:3727
#14 0x0006343b in js_Interpret (cx=0x30b210) at ../jsinterp.cpp:3100
#15 0x0009f2c4 in js_Execute (cx=0x30b210, chain=0x248000, script=0x3116c0,
down=0x0, flags=0, result=0x0) at jsinterp.cpp:1554
#16 0x00019270 in JS_ExecuteScript (cx=0x30b210, obj=0x248000, script=0x3116c0,
rval=0x0) at ../jsapi.cpp:5078
#17 0x000028f4 in Process (cx=0x30b210, obj=0x248000, filename=0xbffff646
"./regress-455982-01.js", forceTTY=0) at ../js.cpp:278
#18 0x0000821a in ProcessArgs (cx=0x30b210, obj=0x248000, argv=0xbffff4dc,
argc=10) at ../js.cpp:518
#19 0x000094e5 in main (argc=10, argv=0xbffff4dc, envp=0xbffff508) at
../js.cpp:4030

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: proposed fix

Comment 3

[Andreas Gal :gal]

Comment on attachment 348485 [details] [diff] [review]
proposed fix

And I thought that piece of code couldn't get any uglier.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

Pushed fix as changeset: http://hg.mozilla.org/tracemonkey/rev/234300844781

Comment 5

[Damon Sicore (:damons)]

reopening, marking blocking beta2, will close once landed on m-c.

Comment 6

[Mike Beltzner [:beltzner, not reading bugmail]]

Fixed in the merge pushed by vlad on Nov 18 14:11:14 2008 -0800:
http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531

Comment 7

[Bob Clary [:bc] (inactive)]

see bug 455982 for other issues with js1_7/extensions/regress-455982-01.js

v 1.9.1, 1.9.2