Closed Bug 472440 Opened 11 years ago Closed 11 years ago

Crash [@ TraceRecorder::record_JSOP_CALLGVAR]

Categories

(Core :: JavaScript Engine, defect, P1, major)

x86
All
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: bc, Assigned: dmandelin)

References

()

Details

(Keywords: assertion, testcase, verified1.9.1)

Attachments

(1 file)

js1_7/regress/regress-418641.js browser; jit only

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xfffffffc
0x00362fb7 in TraceRecorder::record_JSOP_CALLGVAR (this=0x1dc90930) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:8489
8489	    jsval& v = STOBJ_GET_SLOT(cx->fp->scopeChain, slot);
(gdb) bt
#0  0x00362fb7 in TraceRecorder::record_JSOP_CALLGVAR (this=0x1dc90930) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:8489
#1  0x00367279 in TraceRecorder::monitorRecording (this=0x1dc90930, op=JSOP_CALLGVAR) at jsopcode.tbl:545
#2  0x00293303 in js_Interpret (cx=0xacb600) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:2840
#3  0x002b8a6a in js_Execute (cx=0xacb600, chain=0x1db9d5c0, script=0xcd4200, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1564
#4  0x002487a7 in JS_EvaluateUCScriptForPrincipals (cx=0xacb600, obj=0x1db9d5c0, principals=0x1c388c84, chars=0xd03008, length=4035, filename=0x1dc08418 "http://test.mozilla.com/tests/mozilla.org/js/js1_7/regress/regress-418641.js", lineno=1, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5192
#5  0x13055687 in nsJSContext::EvaluateString (this=0x1bdd1b70, aScript=@0x1dc519b4, aScopeObject=0x1db9d5c0, aPrincipal=0x1c388c80, aURL=0x1dc08418 "http://test.mozilla.com/tests/mozilla.org/js/js1_7/regress/regress-418641.js", aLineNo=1, aVersion=170, aRetValue=0x0, aIsUndefined=0xbfffc6d4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/src/base/nsJSEnvironment.cpp:1588

regressed by http://hg.mozilla.org/tracemonkey/rev/c0d189525474

occurs on 1.9.1, 1.9.1-tm, 1.9.2
Flags: in-testsuite+
Flags: in-litmus-
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Assignee: general → dmandelin
Attached patch PatchSplinter Review
Attachment #356867 - Flags: review?(mrbkap)
Attachment #356867 - Flags: review?(mrbkap) → review+
Pushed to TM as 4025f66494fd.
http://hg.mozilla.org/mozilla-central/rev/4025f66494fd
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.