Closed
Bug 524927
Opened 16 years ago
Closed 16 years ago
TM: TM tip fails old trace-test.js with segfault (GC hazard)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 523947
People
(Reporter: gal, Unassigned)
Details
TEST-PASS | trace-test.js | Math.tan(5*Math.PI/4)
TEST-PASS | trace-test.js | Math.tan(7*Math.PI/4)
TEST-PASS | trace-test.js | Infinity/Math.tan(-0)
TEST-PASS | trace-test.js | createMandelSet
TEST-PASS | trace-test.js | createMandelSet
TEST-PASS | trace-test.js | createMandelSet
Segmentation fault
whale:src gal$
|
Reporter | |
Comment 1•16 years ago
|
||
Gregor says this
|
|
Reporter | |
Comment 2•16 years ago
|
||
Gregor says this goes all the way back to the last m-c merge. I can confirm that we have been failing trace-test for a really long time (more than 25 changesets ago). Too tired to bisect right now, but this is bad.
|
||
Comment 3•16 years ago
|
||
revision 34228 works and 34230 does not work.
gdb says:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadfec
0x0006bedb in JS_CallTracer (trc=0xbfff51fc, thing=0xdadadad8, kind=1) at ../jsgc.cpp:2124
2124 JS_ASSERT(!a->list);
(gdb) bt
#0 0x0006bedb in JS_CallTracer (trc=0xbfff51fc, thing=0xdadadad8, kind=1) at ../jsgc.cpp:2124
#1 0x0006c5d8 in js_TraceStackFrame (trc=0xbfff51fc, fp=0x869160) at ../jsgc.cpp:2332
#2 0x0006cf79 in js_TraceContext (trc=0xbfff51fc, acx=0x30aba0) at ../jsgc.cpp:2457
#3 0x0006d5bf in js_TraceRuntime (trc=0xbfff51fc, allAtoms=1) at ../jsgc.cpp:2589
#4 0x0006e79b in js_GC (cx=0x30aba0, gckind=GC_LAST_DITCH) at ../jsgc.cpp:3158
#5 0x0006f41c in RefillDoubleFreeList (cx=0x30aba0) at ../jsgc.cpp:1660
#6 0x0006f560 in js_NewDoubleInRootedValue (cx=0x30aba0, d=-0.0050000000000000001, vp=0x869120) at ../jsgc.cpp:1712
#7 0x001557a5 in NativeToValueBase<ReserveDoubleOOMHandler> (cx=0x30aba0, v=@0x869120, type=TT_DOUBLE, slot=0xbfff6748) at ../jstracer.cpp:2890
#8 0x00155b02 in NativeToValue (cx=0x30aba0, v=@0x869120, type=TT_DOUBLE, slot=0xbfff6748) at ../jstracer.cpp:2954
#9 0x0016f8c0 in FlushNativeStackFrameVisitor::visitStackSlots (this=0xbfff5480, vp=0x869120, count=12, fp=0x8690ac) at ../jstracer.cpp:3069
#10 0x00155c8e in VisitFrameSlots<FlushNativeStackFrameVisitor> (visitor=@0xbfff5480, depth=0, fp=0x8690ac, up=0x869160) at ../jstracer.cpp:2002
#11 0x00155b6e in VisitFrameSlots<FlushNativeStackFrameVisitor> (visitor=@0xbfff5480, depth=1, fp=0x869160, up=0x0) at ../jstracer.cpp:1989
#12 0x00155df4 in VisitStackSlots<FlushNativeStackFrameVisitor> (visitor=@0xbfff5480, cx=0x30aba0, callDepth=1) at ../jstracer.cpp:2027
#13 0x00155e63 in FlushNativeStackFrame (cx=0x30aba0, callDepth=1, mp=0x86c3f0, np=0xbfff6708, stopFrame=0x869160, ignoreSlots=0) at ../jstracer.cpp:3358
#14 0x00156b90 in LeaveTree (state=@0xbfff5630, lr=0x8647a4) at ../jstracer.cpp:6673
#15 0x00158e01 in ExecuteTree (cx=0x30aba0, f=0x86c2b4, inlineCallCount=@0xbffff2c0, innermostNestedGuardp=0xbfffef78) at ../jstracer.cpp:6492
#16 0x00164d09 in js_MonitorLoopEdge (cx=0x30aba0, inlineCallCount=@0xbffff2c0, reason=Record_Branch) at ../jstracer.cpp:6963
#17 0x0007ccad in js_Interpret (cx=0x30aba0) at jsops.cpp:923
#18 0x0009bc7f in js_Execute (cx=0x30aba0, chain=0x2f5000, script=0x995c00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1616
#19 0x000113a7 in JS_ExecuteScript (cx=0x30aba0, obj=0x2f5000, script=0x995c00, rval=0x0) at ../jsapi.cpp:4962
#20 0x0000a05a in Process (cx=0x30aba0, obj=0x2f5000, filename=0xbffff979 "./trace-test.js", forceTTY=0) at ../../shell/js.cpp:438
#21 0x0000ad9c in ProcessArgs (cx=0x30aba0, obj=0x2f5000, argv=0xbffff8b0, argc=2) at ../../shell/js.cpp:847
#22 0x0000b169 in main (argc=2, argv=0xbffff8b0, envp=0xbffff8bc) at ../../shell/js.cpp:4841
|
|
||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•