Closed Bug 643266 Opened 10 years ago Closed 10 years ago

TI: Assertion failure: compartment mismatched, at jscntxtinlines.h:530

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase) 

The following code asserts/crashes on TI tip (64 bit) when run with -m -a. Note that -n is not required, I don't know if this is really a JM problem, I was not able to reproduce this on regular tracemonkey tip:

function test() {
    var ctors = [
        Int8Array,
        Uint8ClampedArray];
    for (var i = 0; i < ctors.length; i++) {
        var ctor = ctors[i];
        b = ctor(100);
        var v = 1;
        for (var j = 0; j < 100; ctor()) {
            b[j] = v;
            v *= 7;
        }
    }
}
test();

==26956== Memcheck, a memory error detector
==26956== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==26956== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==26956== Command: /home/decoder/LangFuzz/jaegermonkey-tip/js/src/js -n -a -m min.js
==26956==
==26956== Invalid read of size 8
==26956==    at 0x4130C4: js::gc::Cell::compartment() const (jsgc.h:482)
==26956==    by 0x43C440: js::CompartmentChecker::check(JSObject*) (jscntxtinlines.h:554)
==26956==    by 0x43C501: js::CompartmentChecker::check(js::Value const&) (jscntxtinlines.h:564)
==26956==    by 0x4FC43D: js::CompartmentChecker::check(ValueArray const&) (jscntxtinlines.h:575)
==26956==    by 0x4FD1E9: void js::assertSameCompartment<ValueArray>(JSContext*, ValueArray) (jscntxtinlines.h:626)
==26956==    by 0x4FC4B3: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:685)
==26956==    by 0x4F7B9E: js::Invoke(JSContext*, js::CallArgs const&, unsigned int) (jsinterp.cpp:704)
==26956==    by 0x7123FC: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:196)
==26956==    by 0x6F1452: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1048)
==26956==    by 0x41AFCDD: ???
==26956==    by 0x68E1CB: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:744)
==26956==    by 0x68E2F4: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:773)
==26956==  Address 0x7fefff000 is not stack'd, malloc'd or (recently) free'd
==26956==
*** Compartment mismatch 0x5e35340 vs. 0xbb492024
Assertion failure: compartment mismatched, at jscntxtinlines.h:530
Blocks: 643842
Disable the typed array ICs, which do things which the regalloc did not anticipate and need more thought to decide how to fix.

http://hg.mozilla.org/projects/jaegermonkey/rev/17e44b678d36
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.