Closed
Bug 571626
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ js::ExecuteTree]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 584565
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta4+ |
People
(Reporter: marcia, Assigned: Waldo)
References
()
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos])
Crash Data
Attachments
(2 files, 2 obsolete files)
Seen while running : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a6pre) Gecko/20100611 Minefield/3.7a6pre and reviewing crash stats. STR: 1. Load the site in the URL. Crash. https://crash-stats.mozilla.com/report/index/963b5dac-a91d-4502-a326-8e4c92100611 Frame Module Signature [Expand] Source 0 @0x2baee79 1 mozjs.dll js::ExecuteTree js/src/jstracer.cpp:6493 2 mozjs.dll js::TraceRecorder::attemptTreeCall js/src/jstracer.cpp:5999 3 mozjs.dll js::TraceRecorder::recordLoopEdge js/src/jstracer.cpp:5941 4 mozjs.dll js::MonitorLoopEdge js/src/jstracer.cpp:6880 5 mozjs.dll js_Interpret js/src/jsops.cpp:918 6 mozjs.dll js_Execute js/src/jsinterp.cpp:854 7 mozjs.dll JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:4563 8 xul.dll nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1786 9 xul.dll nsScriptLoader::EvaluateScript content/base/src/nsScriptLoader.cpp:752 10 xul.dll nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:665 11 xul.dll nsCOMPtr_base::assign_with_AddRef obj-firefox/xpcom/build/nsCOMPtr.cpp:88 12 xul.dll nsScriptLoader::ProcessScriptElement content/base/src/nsScriptLoader.cpp:614 Crashes started appearing on 6-09. Will get an exact regression range in a moment.
Reporter | ||
Comment 1•14 years ago
|
||
Regression window: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100606 Minefield/3.7a5pre - works Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100607 Minefield/3.7a5pre - crash Pushlog: http://tinyurl.com/2f3qjjg
Keywords: regression
Reporter | ||
Updated•14 years ago
|
Summary: Crash in @ js::ExecuteTree → Crash in [@ js::ExecuteTree]
Comment 2•14 years ago
|
||
on TM branch the regression range is: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=8f08ae0b74df&tochange=b3e27c1ee35e crashes on latest TM branch nightly too. setting javascript.options.jit.content;false prevents the crashing.
Summary: Crash in [@ js::ExecuteTree] → TM: Crash in [@ js::ExecuteTree]
Comment 3•14 years ago
|
||
I've a 1,000-line-total testcase coming up. dvander indicates to assume the worst - s-s'ing now.
Comment 4•14 years ago
|
||
Comment 5•14 years ago
|
||
Comment 6•14 years ago
|
||
Attachment #450812 -
Attachment is obsolete: true
Attachment #450813 -
Attachment is obsolete: true
Comment 7•14 years ago
|
||
(In reply to comment #6) > Created an attachment (id=450827) [details] > 33-line shell testcase Seems to be a null dereference, assume [sg:dos] unless otherwise noted: Program received signal SIGSEGV, Segmentation fault. 0x003efe66 in ?? () (gdb) bt #0 0x003efe66 in ?? () #1 0x08163dfd in js::ExecuteTree(JSContext*, js::TreeFragment*, unsigned int&, js::VMSideExit**, js::VMSideExit**) () (gdb) x/i $eip => 0x3efe66: mov (%eax),%ecx (gdb) x/b $eax 0x0: Cannot access memory at address 0x0
Hardware: x86 → All
Whiteboard: [ccbr][sg:dos]
Comment 8•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 42835:b3e27c1ee35e user: Jeff Walden date: Wed Jun 02 23:44:24 2010 -0700 summary: Bug 548671 - Stop using shared-permanent properties "inherited" from the prototype to represent (function(){}).length and [].length. r=jorendorff
Blocks: 548671
Summary: TM: Crash in [@ js::ExecuteTree] → TM: Crash [@ js::ExecuteTree]
Assignee | ||
Updated•14 years ago
|
Assignee: general → jwalden+bmo
Comment 9•14 years ago
|
||
Awesome work, guys. Here's a 4-line test case: for (var i = 0; i < 9; i++) { var f = function (file) {}; f.call(this, f.length >= 2); }
Comment 10•14 years ago
|
||
Here's the debug spew for the 4-line test case. (windows x64)
Updated•14 years ago
|
blocking2.0: --- → ?
Comment 11•14 years ago
|
||
bug 579551 is about the same signature, and that signature has risen up significantly in recent builds, related to this or something else?
Comment 12•14 years ago
|
||
fixed by Bug 584565
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Updated•14 years ago
|
blocking2.0: ? → beta4+
Updated•13 years ago
|
Crash Signature: [@ js::ExecuteTree]
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•