JM: Crash [@ js::mjit::stubs::SetName] or "Assertion failure: entry->vword.isSprop(),"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

8 years ago
--''.trimLeft

asserts js debug shell on JM changeset 7c6f62fcbd91 with -m at Assertion failure: entry->vword.isSprop(), at ../methodjit/StubCalls.cpp:149 and crashes js opt shell at js::mjit::stubs::SetName.

Program received signal SIGSEGV, Segmentation fault.
0x082188f7 in js::mjit::stubs::SetName(js::VMFrame&, JSAtom*) ()
(gdb) bt
#0  0x082188f7 in js::mjit::stubs::SetName(js::VMFrame&, JSAtom*) ()
#1  0x08277288 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
=> 0x82188f7 <_ZN2js4mjit5stubs7SetNameERNS_7VMFrameEP6JSAtom+487>:	testb  $0x40,0x10(%edx)
Works for me on moo tip 64-bit, but fails on 32-bit.
Works for me on 32-bit with ICs disabled.
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/f8de3b4433c2
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::stubs::SetName]
You need to log in before you can comment on or make changes to this bug.