Closed
Bug 556182
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js::methodjit::JaegerShot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
(function() {
for each(d in [0, new Number(), /x/, 0, new Number()]) {
__defineGetter__("", d.valueOf)
}
})()
crashes js debug 32-bit and opt 32-bit shells at a weird memory address with js::methodjit::JaegerShot down on the stack on JM tip with -m.
Stack:
js> (function() {
for each(d in [0, new Number(), /x/, 0, new Number(), ]) {
__defineGetter__("", d.valueOf)
}
})()
[pic] moving 1 infos to script
[pic] entry 0: hpb=0x3e027d crl=0x3e0393
[pic] GETPROP 0x3e0393 typein:3
[pic] native obj=0x3f1440 atom=valueOf
[pic] lookup -> holder=0x3f1320 (shape 229|e5) id=3f34f4 prop=0x858a50
[pic] PIC 0x40d334 hit=0 patched=0 gen'd = 0
[pic] return -> 0x3ee038
[pic] GETPROP 0x3e0393 typein:3
[pic] native obj=0x3f1340 atom=valueOf
[pic] lookup -> holder=0x3f1320 (shape 229|e5) id=3f34f4 prop=0x858a50
[pic] PIC 0x40d334 hit=1 patched=0 gen'd = 0
[pic] getprop, slot=7 value=0x3ee038
[pic] generate getprop stub
[pic] proto chain item, shape = 229
[pic] proto chain length = 1
[pic] new stub start=0x3e0398
[pic] return -> 0x3ee038
[pic] GETPROP 0x3e0393 typein:3
[pic] native obj=0x3f1360 atom=valueOf
[pic] lookup -> holder=0x3f1020 (shape 264|108) id=3f34f4 prop=0x857410
[pic] PIC 0x40d334 hit=1 patched=0 gen'd = 1
[pic] getprop, slot=6 value=0x3f0230
[pic] generate getprop stub
[pic] proto chain item, shape = 188
[pic] proto chain length > 1, giving up
[pic] return -> 0x3f0230
[pic] GETPROP 0x3e0393 typein:3
[pic] native obj=0x3f1460 atom=valueOf
[pic] lookup -> holder=0x3f1320 (shape 229|e5) id=3f34f4 prop=0x858a50
[pic] PIC 0x40d334 hit=1 patched=0 gen'd = 1
[pic] getprop, slot=7 value=0x3ee038
[pic] generate getprop stub
[pic] proto chain item, shape = 229
[pic] proto chain length = 1
[pic] new stub start=0x3e03c4
[pic] return -> 0x3ee038
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xf981045f
0x003e03a8 in ?? ()
(gdb) bt
#0 0x003e03a8 in ?? ()
#1 0x001e32a8 in js::methodjit::JaegerShot (cx=0x856e00) at ../methodjit/MethodJIT.cpp:546
#2 0x000a132a in js_RunScript (cx=0x856e00, script=0x40cfb0) at jsinterp.cpp:926
#3 0x000a1879 in js_Execute (cx=0x856e00, chain=0x3f1000, script=0x40cfb0, down=0x0, flags=0, result=0xbffff778) at jsinterp.cpp:1376
#4 0x00012875 in JS_ExecuteScript (cx=0x856e00, obj=0x3f1000, script=0x40cfb0, rval=0xbffff778) at ../jsapi.cpp:4822
#5 0x0000b4a4 in Process (cx=0x856e00, obj=0x3f1000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:542
#6 0x0000bea2 in ProcessArgs (cx=0x856e00, obj=0x3f1000, argv=0xbffff8fc, argc=1) at ../../shell/js.cpp:869
#7 0x0000c26f in main (argc=1, argv=0xbffff8fc, envp=0xbffff904) at ../../shell/js.cpp:4975
(gdb)
|
Reporter | |
Comment 1•14 years ago
|
||
This is occurring very often in 32-bit shells (and also producing not-very-reproducible testcases with similar stacks) when running jsfunfuzz :(
|
Assignee | |
Updated•14 years ago
|
Assignee: general → dmandelin
|
|
Assignee | |
Comment 2•14 years ago
|
||
The code was updating the PICInfo to indicate changes in the last stub as it generated a new stub. If it aborts, the PICInfo is then invalid. So now it aborts before generating any code or modifying the PICInfo. http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/5b60d49645e4
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js::methodjit::JaegerShot]
You need to log in
before you can comment on or make changes to this bug.
Description
•