502449 - Crash [@ __memcpy]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(function() {
    x = this.watch("x", function() {
        function x() {
            return * ::*
        }
    })
})()

crashes js opt and debug shell from TM branch without -j at __memcpy. Haven't yet tested on 1.9.1, and won't have time to autoBisect yet for a couple of days.

===

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   libSystem.B.dylib             	0xffff07c2 __memcpy + 34 (cpu_capabilities.h:246)
1   js-opt-tm-intelmac            	0x00042137 js_PutCallObject + 327
2   js-opt-tm-intelmac            	0x00024170 js_watch_set + 736
3   js-opt-tm-intelmac            	0x00068ff3 js_NativeSet + 227
4   js-opt-tm-intelmac            	0x00069950 js_SetPropertyHelper + 1616
5   js-opt-tm-intelmac            	0x0004a3f5 js_Interpret + 2853
6   js-opt-tm-intelmac            	0x000598f9 js_Execute + 409
7   js-opt-tm-intelmac            	0x0000e88c JS_ExecuteScript + 60
8   js-opt-tm-intelmac            	0x000043e0 Process(JSContext*, JSObject*, char*, int) + 1616
9   js-opt-tm-intelmac            	0x00007aaf main + 879
10  js-opt-tm-intelmac            	0x000025bb _start + 209
11  js-opt-tm-intelmac            	0x000024e9 start + 41

Comment 1

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Fix

Comment 2

[Blake Kaplan (:mrbkap) (inactive)]

This is fallout from bug 501270. It did not affect the 1.9.0 version of the patch from that bug because igor's call object optimization didn't land on that branch.

Comment 5

[Brendan Eich [:brendan]]

Comment on attachment 386891 [details] [diff] [review]
Fix

Gonna go with Igor's r+ here.

/be

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This bug doesn't seem to affect 1.9.1.

Comment 8

[Blake Kaplan (:mrbkap) (inactive)]

http://hg.mozilla.org/tracemonkey/rev/458e6d714354

Comment 10

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/458e6d714354

Comment 11

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 386891 [details] [diff] [review]
Fix

Needed if we take bug 501270 on the 1.9.1 branch.

Comment 12

[Samuel Sidler (old account; do not CC)]

Comment on attachment 386891 [details] [diff] [review]
Fix

Approved for 1.9.1.2. a=ss for release-drivers

Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.

Comment 13

[Blake Kaplan (:mrbkap) (inactive)]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/0a6882aaaf22

Comment 14

[Bob Clary [:bc] (inactive)]

test passes in 1.9.1 shell on mac, but never failed there.

Comment 15

[u279076]

What is the best/simplest way for QA to verify this on 3.5.2?

Comment 16

[Mike Beltzner [:beltzner, not reading bugmail]]

Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)