Closed Bug 520492 Opened 15 years ago Closed 15 years ago

Crash [@ TraceRecorder::attemptTreeCall] - js1_6/extensions/regress-472508.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: bc, Assigned: dvander)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
2.82 KB, patch
gal
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #520003 +++

js1_6/extensions/regress-472508.js crashed debug shell and browser in winxp only. This is another regression from bug 459301
Flags: in-testsuite+
+		&innermostNestedGuard	0x0012eea4	VMSideExit * *
+		cx	0xdddddddd {operationCallbackFlag=??? link={...} xmlSettingFlags=??? ...}	JSContext *
+		f	0x06933a10 {first=0x06933a10 next=0x00000000 peer=0x00000000 ...}	VMFragment *
		inlineCallCount	0	unsigned int &
+		lr	0x06da5300 {block=0x00000000 pc=0x00741e5d ":" imacpc=0x06da8ada "LÿûMœ" ...}	VMSideExit *
+		this	0x06da4048 {tempAlloc={...} mark={...} cx=0xdddddddd ...}	TraceRecorder * const

js3250.dll!TraceRecorder::attemptTreeCall(VMFragment * f=0x06933a10, unsigned int & inlineCallCount=0)  Line 5985 + 0x6 bytes	C++
js3250.dll!RecordLoopEdge(JSContext * cx=0x05198530, TraceRecorder * r=0x06da4048, unsigned int & inlineCallCount=0)  Line 5948 + 0x10 bytes	C++
js3250.dll!js_MonitorLoopEdge(JSContext * cx=0x05198530, unsigned int & inlineCallCount=0, MonitorReason reason=Monitor_Branch)  Line 6796 + 0x14 bytes	C++

mmm, deleted memory.
Severity: normal → blocker
Summary: Crash [ @ ] - js1_6/extensions/regress-472508.js → Crash [ @ TraceRecorder::attemptTreeCall] - js1_6/extensions/regress-472508.js
Attached patch fixSplinter Review 
Good catch. Bug here is that I forgot to save |this->cx| when |this| can be destroyed.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #404669 - Flags: review?(gal)
jsfunfuzz has also been hitting this issue...
Comment on attachment 404669 [details] [diff] [review]
fix

Please use a comment or maybe localCx.
Attachment #404669 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/7f14152ae76f

pushed, renamed _cx to localCx.
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/7f14152ae76f
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
v 1.9.3
Status: RESOLVED → VERIFIED
Keywords: crash
Summary: Crash [ @ TraceRecorder::attemptTreeCall] - js1_6/extensions/regress-472508.js → Crash [@ TraceRecorder::attemptTreeCall] - js1_6/extensions/regress-472508.js
Crash Signature: [@ TraceRecorder::attemptTreeCall]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: