__defineGetter__("x",/a/) " ".replace(/\s/,"") x.b crashes both js debug and opt shell on 32-bit JM tip with -m at a weird memory address with js::methodjit::JaegerShot on the stack. This is occurring rather frequently for 32-bit shells.
Looks like a PIC bug, Dave. [pic] moving 1 infos to script [pic] entry 0: hpb=0x502e153 crl=0x502e1b8 ==5794== Invalid read of size 4 ==5794== at 0x502E15F: ??? ==5794== by 0x81E58FF: js::methodjit::JaegerShot(JSContext*) (MethodJIT.cpp:528) ==5794== by 0x80C1C7F: js_RunScript (jsinterp.cpp:926) ==5794== by 0x80C2D06: js_Execute (jsinterp.cpp:1376) ==5794== by 0x806B30D: JS_ExecuteScript (jsapi.cpp:4822) ==5794== by 0x804ACC0: Process(JSContext*, JSObject*, char*, int) (js.cpp:448) ==5794== by 0x804BB77: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:868) ==5794== by 0x805352C: main (js.cpp:4981) ==5794== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Weird. By design, the current PIC is not supposed to do anything for the global object, and not for props with getters.
Assignee: general → dmandelin
This is actually pretty sucky. The problem is that the base value for lookup has the value "null", so it passes the "is it an object?" test and then faults on the shape guard. It should be easy enough to fix but it adds an extra test and jCC to the beginning of every PIC path. It should only be 1 cycle so maybe it's not too bad, but someday we may decide we want to make |null| not look like a JSObject*.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Yuck. I think we will w/ lw's dual stack & unified trace/val types.
(In reply to comment #4) > http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/file/08f8d18f9a60 This is probably the more correct URL: http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/08f8d18f9a60
Crash Signature: [@ js::methodjit::JaegerShot]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug555206.js.
You need to log in before you can comment on or make changes to this bug.