Closed Bug 585310 Opened 15 years ago Closed 15 years ago

JM: (64-bit) Crash at a weird location

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

gczeal(2) try { (function () { for each(l in [0, 0, 0]) { print(''.replace(function () {})) } })() } catch (e) {} crashes 64-bit js debug shell on JM changeset 787e35063545 with -m at a weird location. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7fe48c4 in ?? () (gdb) bt #0 0x00007ffff7fe48c4 in ?? () #1 0x00007ffff7fe433a in ?? () #2 0x00007ffff6f23efa in gettimeofday () at ../sysdeps/unix/sysv/linux/x86_64/gettimeofday.S:37 #3 0x00000000005639bc in PRMJ_Now () at ../prmjtime.cpp:337 #4 0x000000000056502e in js::mjit::JaegerShot (cx=0x8d2510) at ../methodjit/MethodJIT.cpp:696 #5 0x0000000000499df5 in js::RunScript (cx=0x8d2510, script=0x8db620, fun=0x0, scopeChain=0x7ffff6903000) at ../jsinterp.cpp:466 #6 0x000000000049ada3 in js::Execute (cx=0x8d2510, chain=0x7ffff6903000, script=0x8db620, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:954 #7 0x0000000000428c50 in JS_ExecuteScript (cx=0x8d2510, obj=0x7ffff6903000, script=0x8db620, rval=0x0) at ../jsapi.cpp:4740 #8 0x0000000000404bde in Process (cx=0x8d2510, obj=0x7ffff6903000, filename=0x7fffffffe5c6 "gettimeofdayCrash.js", forceTTY=0) at ../../shell/js.cpp:441 #9 0x00000000004059ce in ProcessArgs (cx=0x8d2510, obj=0x7ffff6903000, argv=0x7fffffffe2b0, argc=2) at ../../shell/js.cpp:861 #10 0x000000000040dee0 in shell (cx=0x8d2510, argc=2, argv=0x7fffffffe2b0, envp=0x7fffffffe2c8) at ../../shell/js.cpp:5034 #11 0x000000000040dff0 in main (argc=2, argv=0x7fffffffe2b0, envp=0x7fffffffe2c8) at ../../shell/js.cpp:5130 (gdb) x/i $rip => 0x7ffff7fe48c4: add %al,(%rax,%rax,1)
Here's a variant: x = gczeal(2) try { (function () { for each(d in [x, x, x]) { 'a'.replace(/a/, function () {}) } })() } catch (e) {} Program received signal SIGBUS, Bus error. *__GI_getenv (name=0x5ef919 "_DUMP_CONSERVATIVE_GC_ROOTS") at getenv.c:84 84 getenv.c: No such file or directory. in getenv.c (gdb) bt #0 *__GI_getenv (name=0x5ef919 "_DUMP_CONSERVATIVE_GC_ROOTS") at getenv.c:84 #1 0x0000000000489f9c in GCMarker (this=0x7fffffffd850, cx=0x8d2510) at ../jsgc.cpp:1898 #2 0x000000000048bfe6 in GC (cx=0x8d2510) at ../jsgc.cpp:3072 #3 0x000000000048c44c in GCUntilDone (cx=0x8d2510, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3452 #4 0x000000000048c5b0 in js_GC (cx=0x8d2510, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3506 #5 0x0000000000489253 in LastDitchGC (cx=0x8d2510) at ../jsgc.cpp:1636 #6 0x00000000004893a8 in RefillFinalizableFreeList (cx=0x8d2510, thingKind=0) at ../jsgc.cpp:1660 #7 0x00000000004897a5 in js_NewFinalizableGCThing (cx=0x8d2510, thingKind=0) at ../jsgc.cpp:1748 #8 0x0000000000505012 in js_NewGCObject (cx=0x8d2510) at ../jsgc.h:270 #9 0x00000000005051d2 in NewNativeClassInstance (cx=0x8d2510, clasp=0x87a7e0, proto=0x7ffff6903240, parent=0x7ffff6903000) at ../jsobjinlines.h:563 #10 0x0000000000510cfb in js_CloneRegExpObject (cx=0x8d2510, obj=0x7ffff6903288, proto=0x7ffff6903240) at ../jsregexp.cpp:5838 #11 0x00000000005d5ac9 in js::mjit::stubs::RegExp (f=..., regex=0x7ffff6903288) at ../methodjit/StubCalls.cpp:1545 #12 0x00007ffff7fe4b99 in ?? () #13 0x00007ffff7fe4375 in ?? () #14 0x00007ffff6f23efa in gettimeofday () at ../sysdeps/unix/sysv/linux/x86_64/gettimeofday.S:37 #15 0x00000000005639bc in PRMJ_Now () at ../prmjtime.cpp:337 #16 0x000000000056502e in js::mjit::JaegerShot (cx=0x8d2510) at ../methodjit/MethodJIT.cpp:696 #17 0x0000000000499df5 in js::RunScript (cx=0x8d2510, script=0x8db890, fun=0x0, scopeChain=0x7ffff6903000) at ../jsinterp.cpp:466 #18 0x000000000049ada3 in js::Execute (cx=0x8d2510, chain=0x7ffff6903000, script=0x8db890, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:954 #19 0x0000000000428c50 in JS_ExecuteScript (cx=0x8d2510, obj=0x7ffff6903000, script=0x8db890, rval=0x0) at ../jsapi.cpp:4740 #20 0x0000000000404bde in Process (cx=0x8d2510, obj=0x7ffff6903000, filename=0x7fffffffe5c8 "trampolineCrash.js", forceTTY=0) at ../../shell/js.cpp:441 #21 0x00000000004059ce in ProcessArgs (cx=0x8d2510, obj=0x7ffff6903000, argv=0x7fffffffe2b0, argc=2) at ../../shell/js.cpp:861 #22 0x000000000040dee0 in shell (cx=0x8d2510, argc=2, argv=0x7fffffffe2b0, envp=0x7fffffffe2c8) at ../../shell/js.cpp:5034 #23 0x000000000040dff0 in main (argc=2, argv=0x7fffffffe2b0, envp=0x7fffffffe2c8) at ../../shell/js.cpp:5130 (gdb) x/i $rip => 0x7ffff6ec2830 <*__GI_getenv+144>: cmp 0x0(%rbp),%r13w (gdb) x/b $rbp 0x10007fffffffe60f: Cannot access memory at address 0x10007fffffffe60f
Blocks: 585541
No longer blocks: 585541
Depends on: 585541
Blocks: 585541
No longer depends on: 585541
Fixed on tip by changeset http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/9faa11693873 . See bug 585750.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug585310.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.