Closed
Bug 516262
Opened 15 years ago
Closed 15 years ago
Crash [@ js_Interpret] or "Assertion failure: script->nfixed == 2, at ../jsinterp.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
People
(Reporter: gkw, Assigned: brendan)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey [ccbr])
Crash Data
Attachments
(1 file)
|
1.52 KB,
patch
|
Details | Diff | Splinter Review |
y=0
var z
[#1#]
crashes js opt shell at js_Interpret at null on TM tip (changeset: 32240:01fc5bf1d21a) without -j and asserts debug at Assertion failure: script->nfixed == 2, at ../jsinterp.cpp:1568
(Pass in as a CLI argument to get it to assert/crash)
autoBisect shows this is probably related to bug 514981:
The first bad revision is:
changeset: 32201:c19b0d06d076
user: Brendan Eich
date: Wed Sep 09 20:21:15 2009 -0700
summary: Bug 514981 - JSStackFrame::sharp{Array,Depth} should be locals allocated due to #n[#=] usage (r=igor).
===
$ cat 2interesting/w4811-reduced.js
y=0
var z
[#1#]
$ Mozilla/32240/js-dbg-tm-darwin 2interesting/w4811-reduced.js
Assertion failure: script->nfixed == 2, at ../jsinterp.cpp:1568
$ Mozilla/32240/js-opt-tm-darwin 2interesting/w4811-reduced.js
Bus error
===
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 js-opt-tm-darwin 0x00053c7a js_Interpret + 23498
1 js-opt-tm-darwin 0x0005dc61 js_Execute + 385
2 js-opt-tm-darwin 0x0000d53c JS_ExecuteScript + 60
3 js-opt-tm-darwin 0x00004270 Process(JSContext*, JSObject*, char*, int) + 1616
4 js-opt-tm-darwin 0x0000746f main + 879
5 js-opt-tm-darwin 0x0000196b _start + 209
6 js-opt-tm-darwin 0x00001899 start + 41
Flags: blocking1.9.2?
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [ccbr]
|
Assignee | |
Comment 1•15 years ago
|
||
The code shown in the patch was not self-consistent (look for all occurrences of script->nfixed - 2). D'oh!
Gary, thanks for all the fuzzing!
/be
|
|
Assignee | |
Updated•15 years ago
|
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
||
Comment 2•15 years ago
|
||
Comment on attachment 400403 [details] [diff] [review]
fix
We should define a constant like SHARP_LOCAL_COUNT and use it, not just a plain 2, which is confusing with all those args - 2. Also the patch should use either memcpy/loop or a static assert that SHARP_LOCAL_COUNT is 2 when initializing the slots. At least this will be self-commenting. r+ with this fixed.
Attachment #400403 -
Flags: review?(igor)
|
|
Assignee | |
Comment 3•15 years ago
|
||
Thanks, I opted for static assert (in two files, mainly as you say to document the unrolled short loop or similar dependency on #array/#depth being the two and only two sharp locals). Fixed in tm:
http://hg.mozilla.org/tracemonkey/rev/d23e05e857b3
/be
Whiteboard: [ccbr] → fixed-in-tracemonkey [ccbr]
|
||
Comment 4•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2+ → blocking1.9.2?
|
||
Comment 5•15 years ago
|
||
Did/should this land on mozilla-1.9.2? @js_Interpret is the topcrash on Firefox 3.6b1 by an order of magnitude.
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2+ → blocking1.9.2-
|
|
||
Comment 6•15 years ago
|
||
Bug 514981 did not land on 192
|
||
Updated•14 years ago
|
Crash Signature: [@ js_Interpret]
You need to log in
before you can comment on or make changes to this bug.
Description
•