Closed Bug 583692 Opened 11 years ago Closed 11 years ago

JM: Crash [@ 0x02ffffec]

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: adrake)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

function g(code) {
  f = eval("(function(){" + code + "});");
  try {
    rv = f();
  } catch(e) {}
  h();
}
a1 = a2 = uneval;
function h() {
  delete this.gc;
  this.gc = a1;
  delete this.uneval;
  this.uneval = a2;
}
  __defineSetter__("x",function(){})
for (let a = 0;a<10000; a++) {
  eval("(function(){v=0});");
  g("with({a:x})function(){}");
  g("for(var b=0;b<6;++b){if(3==2){p}else{print(x)}}");
}

crashes js debug and opt shell on JM changeset 2ee92d697741 with -m at 0x02ffffec.


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x032fffec
0x037d885a in ?? ()
(gdb) bt
#0  0x037d885a in ?? ()
#1  0x001f4c67 in js::mjit::JaegerShot (cx=0x50abc0) at ../methodjit/MethodJIT.cpp:696
#2  0x000b6d57 in js::RunScript (cx=0x50abc0, script=0x50e5d0, fun=0x0, scopeChain=0x702000) at jsinterp.cpp:461
#3  0x000b82b8 in js::Execute (cx=0x50abc0, chain=0x702000, script=0x50e5d0, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:949
#4  0x000172b4 in JS_ExecuteScript (cx=0x50abc0, obj=0x702000, script=0x50e5d0, rval=0xbffff680) at ../jsapi.cpp:4736
#5  0x0000c254 in Process (cx=0x50abc0, obj=0x702000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533
#6  0x0000cc57 in ProcessArgs (cx=0x50abc0, obj=0x702000, argv=0xbffff84c, argc=1) at ../../shell/js.cpp:860
#7  0x0000cd70 in shell (cx=0x50abc0, argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:4981
#8  0x0000ce94 in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5077
(gdb) x/i $eip
0x37d885a:      mov    -0x1c(%esi),%edi
(gdb) x/b $esi
0x3300008:      0x48
Only crashes on 32-bit with ICs enabled.
Bisection results:

Changeset 48658:05e714a501e9: bad
The first bad revision is:
changeset:   48658:05e714a501e9
user:        David Anderson <danderson@mozilla.com>
date:        Fri Jul 23 15:35:48 2010 -0700
summary:     [JAEGER] PIC for global scope name resolutions (bug 581291).
Reduced test case:

__defineSetter__("x",function(){})
for (var i = 0; i < 65536; i++) {
  new Function("for (var b = 0; b < 3; b++){ assertEq(x,undefined); }")();
}

Bug is caused when a name pic gets generated at the same address twice.
Assignee: general → adrake
Status: NEW → ASSIGNED
Scratch that, it's GC related.
Attached patch Patch v0Splinter Review
Patch as discussed.
Attachment #462284 - Flags: review?(dvander)
Comment on attachment 462284 [details] [diff] [review]
Patch v0

Thanks!
Attachment #462284 - Flags: review?(dvander) → review+
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/f538bae93cf5
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ 0x02ffffec]
You need to log in before you can comment on or make changes to this bug.