Closed
Bug 555206
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ js::methodjit::JaegerShot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
__defineGetter__("x",/a/)
" ".replace(/\s/,"")
x.b
crashes both js debug and opt shell on 32-bit JM tip with -m at a weird memory address with js::methodjit::JaegerShot on the stack.
This is occurring rather frequently for 32-bit shells.
Looks like a PIC bug, Dave.
[pic] moving 1 infos to script
[pic] entry 0: hpb=0x502e153 crl=0x502e1b8
==5794== Invalid read of size 4
==5794== at 0x502E15F: ???
==5794== by 0x81E58FF: js::methodjit::JaegerShot(JSContext*) (MethodJIT.cpp:528)
==5794== by 0x80C1C7F: js_RunScript (jsinterp.cpp:926)
==5794== by 0x80C2D06: js_Execute (jsinterp.cpp:1376)
==5794== by 0x806B30D: JS_ExecuteScript (jsapi.cpp:4822)
==5794== by 0x804ACC0: Process(JSContext*, JSObject*, char*, int) (js.cpp:448)
==5794== by 0x804BB77: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:868)
==5794== by 0x805352C: main (js.cpp:4981)
==5794== Address 0x0 is not stack'd, malloc'd or (recently) free'd
|
Assignee | |
Comment 2•15 years ago
|
||
Weird. By design, the current PIC is not supposed to do anything for the global object, and not for props with getters.
Assignee: general → dmandelin
|
|
Assignee | |
Comment 3•15 years ago
|
||
This is actually pretty sucky. The problem is that the base value for lookup has the value "null", so it passes the "is it an object?" test and then faults on the shape guard. It should be easy enough to fix but it adds an extra test and jCC to the beginning of every PIC path. It should only be 1 cycle so maybe it's not too bad, but someday we may decide we want to make |null| not look like a JSObject*.
|
|
Assignee | |
Comment 4•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Yuck. I think we will w/ lw's dual stack & unified trace/val types.
|
Reporter | |
Comment 6•15 years ago
|
||
(In reply to comment #4)
> http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/file/08f8d18f9a60
This is probably the more correct URL:
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/08f8d18f9a60
|
||
Updated•13 years ago
|
Crash Signature: [@ js::methodjit::JaegerShot]
|
||
Comment 7•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug555206.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•