Closed Bug 642760 Opened 14 years ago Closed 14 years ago

TI: Crash [@ JSStackFrame::numFormalArgs]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 642985

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following test case (run with -n -a -m) crashes on TI tip, tested on 64
bit:

function f(N)
{
        for (var i = 0; i != N; ++i) {
                var obj1 = {}, obj2 = {};
                obj1['a'+i] = 0;
                obj2['b'+i] = 0;
                for (var repeat = 0;repeat != 2; ++repeat) {
                        for (var j in obj1) {
                                for (var k in obj2) {
                                        gc();
                                }
                        }
                }
        }
}
var array = [function() { f(10); },
    function(array) { f(50); },
    function() { propertyIsEnumerable.call(undefined, {}); },
    ];
for (var i = 0; i != array.length; ++i)
array[i]();

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f9f0b7ab720 (LWP 30045)]
0x000000000043a06c in JSStackFrame::numFormalArgs (this=0x7f9f0a25a0b0) at ./jsinterp.h:352
352             return fun()->nargs;
(gdb) bt
#0  0x000000000043a06c in JSStackFrame::numFormalArgs (this=0x7f9f0a25a0b0) at ./jsinterp.h:352
#1  0x000000000043a0bb in JSStackFrame::formalArgs (this=0x7f9f0a25a0b0) at ./jsinterp.h:362
#2  0x000000000043a12a in JSStackFrame::calleeValue (this=0x7f9f0a25a0b0) at ./jsinterp.h:453
#3  0x000000000043a170 in JSStackFrame::callee (this=0x7f9f0a25a0b0) at ./jsinterp.h:458
#4  0x000000000043a1db in JSStackFrame::scopeChain (this=0x7f9f0a25a0b0) at ./jsinterp.h:494
#5  0x000000000041a7b9 in GetGlobalForScopeChain (cx=0x237bbe0) at jscntxtinlines.h:68
#6  0x000000000042bc85 in JS_GetGlobalForScopeChain (cx=0x237bbe0) at jsapi.cpp:2067
#7  0x000000000043c21f in CompartmentChecker (this=0x7fffdbaf5a60, cx=0x237bbe0) at ./jscntxtinlines.h:520
#8  0x0000000000441525 in js::assertSameCompartment<JSObject*, jsid> (cx=0x237bbe0, t1=0x7f9f0a103048, t2={asBits = 140321045365632}) at jscntxtinlines.h:634
#9  0x000000000042b0d5 in JS_ResolveStandardClass (cx=0x237bbe0, obj=0x7f9f0a103048, id={asBits = 140321045365632}, resolved=0x7fffdbaf5bbc) at jsapi.cpp:1797
#10 0x000000000040c4e8 in ResolveClass (cx=0x237bbe0, obj=0x7f9f0a103048, id={asBits = 140321045365632}, resolved=0x7fffdbaf5bbc) at js.cpp:3112
#11 0x00000000004103c2 in global_resolve (cx=0x237bbe0, obj=0x7f9f0a103048, id={asBits = 140321045365632}, flags=1, objp=0x7fffdbaf5c30) at js.cpp:5370
#12 0x00000000005213bc in CallResolveOp (cx=0x237bbe0, start=0x7f9f0a103048, obj=0x7f9f0a103048, id={asBits = 140321045365632}, flags=1, objp=0x7fffdbaf5e80, 
    propp=0x7fffdbaf5e78, recursedp=0x7fffdbaf5cff) at jsobj.cpp:5037
#13 0x00000000005215fa in js_LookupPropertyWithFlagsInline (cx=0x237bbe0, obj=0x7f9f0a103048, id={asBits = 140321045365632}, flags=1, objp=0x7fffdbaf5e80, propp=0x7fffdbaf5e78)
    at jsobj.cpp:5097
#14 0x000000000052184f in js_LookupPropertyWithFlags (cx=0x237bbe0, obj=0x7f9f0a103048, id={asBits = 140321045365632}, flags=1, objp=0x7fffdbaf5e80, propp=0x7fffdbaf5e78)
    at jsobj.cpp:5160
#15 0x00000000004e66f2 in AnalyzeBytecode (cx=0x237bbe0, state=@0x7fffdbaf5ff0, script=0x23f33c0, offset=0) at jsinfer.cpp:2925
#16 0x00000000004e94b5 in js::types::AnalyzeScriptTypes (cx=0x237bbe0, script=0x23f33c0) at jsinfer.cpp:3673
#17 0x00000000004ed9c6 in JSScript::typeSetThis (this=0x23f33c0, cx=0x237bbe0, type=37694144) at ./jsinferinlines.h:582
#18 0x00000000004e37f7 in js::types::TypeCompartment::dynamicCall (this=0x237c470, cx=0x237bbe0, callee=0x7f9f0a110108, args=@0x7fffdbaf61d0, constructing=false)
    at jsinfer.cpp:1792
#19 0x00000000004fc5b0 in JSContext::typeMonitorCall (this=0x237bbe0, args=@0x7fffdbaf61d0, constructing=false) at jsinferinlines.h:414
#20 0x0000000000711677 in js::mjit::stubs::CompileFunction (f=@0x7fffdbaf6230, nactual=0) at ./methodjit/InvokeHelpers.cpp:309
#21 0x00007f9f0a24c590 in ?? ()
#22 0x00007f9f0a24a068 in ?? ()
#23 0x00000000023f4120 in ?? ()
#24 0x0000000000000000 in ?? ()


In valgrind, the trace looks different and the test case does not crash but asserts.
This is a different symptom for the issue fixed in bug 642985.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Summary: TI: Crash @ [JSStackFrame::numFormalArgs] → TI: Crash [@ JSStackFrame::numFormalArgs]
Crash Signature: [@ JSStackFrame::numFormalArgs]
A testcase for this bug was already added in the original bug (bug 642985).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.