Closed Bug 583692 Opened 15 years ago Closed 15 years ago

JM: Crash [@ 0x02ffffec]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: adrake)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

Patch v0
769 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
function g(code) { f = eval("(function(){" + code + "});"); try { rv = f(); } catch(e) {} h(); } a1 = a2 = uneval; function h() { delete this.gc; this.gc = a1; delete this.uneval; this.uneval = a2; } __defineSetter__("x",function(){}) for (let a = 0;a<10000; a++) { eval("(function(){v=0});"); g("with({a:x})function(){}"); g("for(var b=0;b<6;++b){if(3==2){p}else{print(x)}}"); } crashes js debug and opt shell on JM changeset 2ee92d697741 with -m at 0x02ffffec. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x032fffec 0x037d885a in ?? () (gdb) bt #0 0x037d885a in ?? () #1 0x001f4c67 in js::mjit::JaegerShot (cx=0x50abc0) at ../methodjit/MethodJIT.cpp:696 #2 0x000b6d57 in js::RunScript (cx=0x50abc0, script=0x50e5d0, fun=0x0, scopeChain=0x702000) at jsinterp.cpp:461 #3 0x000b82b8 in js::Execute (cx=0x50abc0, chain=0x702000, script=0x50e5d0, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:949 #4 0x000172b4 in JS_ExecuteScript (cx=0x50abc0, obj=0x702000, script=0x50e5d0, rval=0xbffff680) at ../jsapi.cpp:4736 #5 0x0000c254 in Process (cx=0x50abc0, obj=0x702000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533 #6 0x0000cc57 in ProcessArgs (cx=0x50abc0, obj=0x702000, argv=0xbffff84c, argc=1) at ../../shell/js.cpp:860 #7 0x0000cd70 in shell (cx=0x50abc0, argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:4981 #8 0x0000ce94 in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5077 (gdb) x/i $eip 0x37d885a: mov -0x1c(%esi),%edi (gdb) x/b $esi 0x3300008: 0x48
Only crashes on 32-bit with ICs enabled.
Bisection results: Changeset 48658:05e714a501e9: bad The first bad revision is: changeset: 48658:05e714a501e9 user: David Anderson <danderson@mozilla.com> date: Fri Jul 23 15:35:48 2010 -0700 summary: [JAEGER] PIC for global scope name resolutions (bug 581291).
Reduced test case: __defineSetter__("x",function(){}) for (var i = 0; i < 65536; i++) { new Function("for (var b = 0; b < 3; b++){ assertEq(x,undefined); }")(); } Bug is caused when a name pic gets generated at the same address twice.
Assignee: general → adrake
Status: NEW → ASSIGNED
Scratch that, it's GC related.
Attached patch Patch v0Splinter Review
Patch as discussed.
Attachment #462284 - Flags: review?(dvander)
Comment on attachment 462284 [details] [diff] [review] Patch v0 Thanks!
Attachment #462284 - Flags: review?(dvander) → review+
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/f538bae93cf5
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ 0x02ffffec]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: