Closed Bug 489040 Opened 11 years ago Closed 11 years ago

TM: Crash [@ TraceRecorder::getThis]

Categories

(Core :: JavaScript Engine, defect, P2)

x86
macOS
defect

Tracking

()

RESOLVED FIXED
mozilla1.9.1b4

People

(Reporter: gkw, Assigned: gal)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

for (var y = 0; y < 2; ++y) { (/x/)[this] }

Bug 483940 has morphed into a debug js shell crash with -j at TraceRecorder::getThis at 0xfffffffc. Waldo suggests to file a new bug...

I'm sure this is still a regression but not sure of what bug due to all the morphing that happened.
Flags: blocking1.9.1?
regresses by bug 488816 http://hg.mozilla.org/tracemonkey/rev/aae39925c259

covered by at least js1_5/Regress/regress-452495.js debug shell tracemonkey/mozilla-central w or wo jit. mac only so far.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xfffffffc
0x001420e9 in TraceRecorder::getThis (this=0x312ec0, this_ins=@0xbfffea2c) at ../jstracer.cpp:6326
6326	        JS_ASSERT(JSVAL_IS_OBJECT(cx->fp->argv[-1]));
(gdb) bt
#0  0x001420e9 in TraceRecorder::getThis (this=0x312ec0, this_ins=@0xbfffea2c) at ../jstracer.cpp:6326
#1  0x001423de in TraceRecorder::record_JSOP_THIS (this=0x312ec0) at ../jstracer.cpp:8544
#2  0x0015148b in TraceRecorder::monitorRecording (cx=0x30bd40, tr=0x312ec0, op=JSOP_THIS) at jsopcode.tbl:186
#3  0x0006bca6 in js_Interpret (cx=0x30bd40) at ../jsinterp.cpp:3030
#4  0x000959f2 in js_Execute (cx=0x30bd40, chain=0x2a9000, script=0x3121c0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1614
#5  0x0001db30 in JS_ExecuteScript (cx=0x30bd40, obj=0x2a9000, script=0x3121c0, rval=0x0) at ../jsapi.cpp:5033
#6  0x00007e73 in Process (cx=0x30bd40, obj=0x2a9000, filename=0xbffff5ee "regress-452495.js", forceTTY=0) at ../../shell/js.cpp:412
#7  0x0000953a in ProcessArgs (cx=0x30bd40, obj=0x2a9000, argv=0xbffff480, argc=8) at ../../shell/js.cpp:746
#8  0x0000ab35 in main (argc=8, argv=0xbffff480, envp=0xbffff4a4) at ../../shell/js.cpp:4726
Blocks: 488816
ditto js1_8/extensions/regress-452476.js
Attached patch patchSplinter Review
Bogus assert.
Assignee: general → gal
Attachment #373605 - Flags: review?(brendan)
Bogus assert only. Making P1 merely to make sure it catches the b4 train otherwise debug builds can get burned.
Severity: critical → normal
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b4
Comment on attachment 373605 [details] [diff] [review]
patch

>diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
>--- a/js/src/jstracer.cpp
>+++ b/js/src/jstracer.cpp
>@@ -6318,17 +6318,16 @@ TraceRecorder::getThis(LIns*& this_ins)
>     /*
>      * In global code, bake in the global object as 'this' object.
>      */
>     if (!cx->fp->callee) {
>         JS_ASSERT(callDepth == 0);
>         JSObject* thisObj = js_ComputeThisForFrame(cx, cx->fp);
>         if (!thisObj)
>             ABORT_TRACE("js_ComputeThis failed");
>-        JS_ASSERT(JSVAL_IS_OBJECT(cx->fp->argv[-1]));

Rather than remove it, you could move it above the if and use JS_ASSERT_IF(cx->fp->callee, JSVAL_IS_OBJECT(cx->fp->argv[-1])). r=me either way, IIRC we're covered by other assertions.

/be
Attachment #373605 - Flags: review?(brendan) → review+
Flags: blocking1.9.1? → blocking1.9.1+
Priority: P1 → P2
http://hg.mozilla.org/tracemonkey/rev/d4430f430fcd
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/d4430f430fcd
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Where's the simplified testcase? There's nothing in the bug report, so I'm removing the keyword since it's already been fixed and the in-testsuite? flag is marked.
Keywords: testcase
Never mind, I'm an idiot by not checking comment 0.
Keywords: testcase
Crash Signature: [@ TraceRecorder::getThis]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.