Closed
Bug 504632
Opened 15 years ago
Closed 13 years ago
Crash [@ js_NewObjectWithGivenProto] with js1_6/extensions/regress-456826.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: bc, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
crash tracemonkey shell js1_6/extensions/regress-456826.js #0 0x000ab519 in js_NewObjectWithGivenProto (cx=0x80f000, clasp=0x1c77e0, proto=0x2c0000, parent=0x2c1980, objectSize=0) at ../jsobj.cpp:2093 #1 0x000ad3b7 in js_NewObject (cx=0x80f000, clasp=0x1c77e0, proto=0x2c0000, parent=0x2c1980, objectSize=0) at ../jsobj.cpp:2182 #2 0x0005fd2e in js_NewFunction (cx=0x80f000, funobj=0x0, native=0x1c7e00 <math_atan_trcinfo>, nargs=1, flags=10240, parent=0x2c1980, atom=0x2c637c) at ../jsfun.cpp:2438 #3 0x00060fa9 in js_DefineFunction (cx=0x80f000, obj=0x2c1980, atom=0x2c637c, native=0x1c7e00 <math_atan_trcinfo>, nargs=1, attrs=10240) at ../jsfun.cpp:2573 #4 0x0001d734 in JS_DefineFunction (cx=0x80f000, obj=0x2c1980, name=0x1b0111 "atan", call=0x1c7e00 <math_atan_trcinfo>, nargs=1, attrs=14336) at ../jsapi.cpp:4627 #5 0x00020998 in JS_DefineFunctions (cx=0x80f000, obj=0x2c1980, fs=0x1c7f80) at ../jsapi.cpp:4609 #6 0x000a1894 in js_InitMathClass (cx=0x80f000, obj=0x2c1000) at ../jsmath.cpp:801 #7 0x0001932c in JS_ResolveStandardClass (cx=0x80f000, obj=0x2c1000, id=2896020, resolved=0xbfffe8cc) at ../jsapi.cpp:1603 #8 0x0000a73d in global_resolve (cx=0x80f000, obj=0x2c1000, id=2896020, flags=0, objp=0xbfffe934) at ../../shell/js.cpp:4334 #9 0x000ac499 in js_LookupPropertyWithFlags (cx=0x80f000, obj=0x2c1000, id=2896020, flags=0, objp=0xbfffe9b0, propp=0xbfffe9ac) at ../jsobj.cpp:3847 #10 0x000b01f9 in js_FindPropertyHelper (cx=0x80f000, id=2896020, cacheResult=1, objp=0xbfffedcc, pobjp=0xbfffedc8, propp=0xbfffedac) at ../jsobj.cpp:3988 #11 0x000882cc in js_Interpret (cx=0x80f000) at ../jsinterp.cpp:5314 #12 0x0009afc4 in js_Execute (cx=0x80f000, chain=0x2c1000, script=0x312a60, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1635 #13 0x0001e3b8 in JS_ExecuteScript (cx=0x80f000, obj=0x2c1000, script=0x312a60, rval=0x0) at ../jsapi.cpp:5048 #14 0x000081d1 in Process (cx=0x80f000, obj=0x2c1000, filename=0xbffff5ee "regress-456826.js", forceTTY=0) at ../../shell/js.cpp:408 #15 0x0000989a in ProcessArgs (cx=0x80f000, obj=0x2c1000, argv=0xbffff484, argc=9) at ../../shell/js.cpp:748 #16 0x0000aeb0 in main (argc=9, argv=0xbffff484, envp=0xbffff4ac) at ../../shell/js.cpp:4752
Flags: in-testsuite+
|
||
Comment 1•15 years ago
|
||
fwiw, I'm having reproducing the crash here. bc, what revision of tracemonkey is that stack against?
|
Reporter | |
Comment 2•15 years ago
|
||
the stack was from an older build, but I just bisected on the SIGBUS and confirmed that on the tip. I'll get a fresh stack in a moment. regression changeset: 30297:b0f849609c10 user: Andreas Gal <gal@mozilla.com> date: Tue Jul 14 17:06:09 2009 -0700 summary: Avoid integer division in NewGCThing path (503157, r=jwalden).
|
||
Comment 3•15 years ago
|
||
Thats bad. Could someone backout the patch? And I will try to reproduce in the meantime.
|
|
Reporter | |
Comment 4•15 years ago
|
||
PS. the crash was debug only.
|
|
||
Comment 5•15 years ago
|
||
Oh. Ok in that case leave it in. I will look at the assert. I have a browser running with the patch, so TM tip shouldn't be unuseable.
|
|
||
Comment 6•15 years ago
|
||
This works for me in the shell. Are you sure you have a clean build? The line number doesn't match up with an assert in TM tip, and the nearest assert is obviously not failing (it says !objectSize, which is the case here).
|
|
Reporter | |
Comment 7•15 years ago
|
||
Pretty sure. It's not an assert but a SIGBUS error. I just did a fresh build and reproduced it again.
|
|
Reporter | |
Comment 9•13 years ago
|
||
update crash bugs to critical per guidelines.
Severity: normal → critical
|
||
Comment 10•13 years ago
|
||
bc, can you still reproduce? I ask, because it looks like js_NewObjectWithGivenProto doesn't exist on crash stats for 4.0 or newer. There is however, JS_NewObjectWithGivenProto https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=JS_NewObjectWithGivenProto&reason_type=contains&date=06%2F01%2F2011%2014%3A00%3A30&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=JS_NewObjectWithGivenProto
|
|
Reporter | |
Comment 11•13 years ago
|
||
(In reply to comment #10) > I ask, because it looks like js_NewObjectWithGivenProto doesn't exist on > crash stats for 4.0 or newer. I don't understand considering the non-null nature of the crash-stats query you gave. The test passes nightly debug shell produced as part of the Firefox build in mac os x 10.4, winxp, linux 32bit and 64bit. I would say this bug as filed is now wfm.
|
|
||
Comment 12•13 years ago
|
||
(In reply to comment #11) > (In reply to comment #10) > > > I ask, because it looks like js_NewObjectWithGivenProto doesn't exist on > > crash stats for 4.0 or newer. > > I don't understand considering the non-null nature of the crash-stats query > you gave. the URL is for a _different_ signature JS_..., not js_... > The test passes nightly debug shell produced as part of the Firefox build in > mac os x 10.4, winxp, linux 32bit and 64bit. I would say this bug as filed > is now wfm. WFM per comment 11
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 13•13 years ago
|
||
(In reply to comment #12) > the URL is for a _different_ signature JS_..., not js_... doh!
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Crash Signature: [@ js_NewObjectWithGivenProto]
You need to log in
before you can comment on or make changes to this bug.
Description
•