Closed Bug 643266 Opened 14 years ago Closed 14 years ago

TI: Assertion failure: compartment mismatched, at jscntxtinlines.h:530

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following code asserts/crashes on TI tip (64 bit) when run with -m -a. Note that -n is not required, I don't know if this is really a JM problem, I was not able to reproduce this on regular tracemonkey tip: function test() { var ctors = [ Int8Array, Uint8ClampedArray]; for (var i = 0; i < ctors.length; i++) { var ctor = ctors[i]; b = ctor(100); var v = 1; for (var j = 0; j < 100; ctor()) { b[j] = v; v *= 7; } } } test(); ==26956== Memcheck, a memory error detector ==26956== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==26956== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==26956== Command: /home/decoder/LangFuzz/jaegermonkey-tip/js/src/js -n -a -m min.js ==26956== ==26956== Invalid read of size 8 ==26956== at 0x4130C4: js::gc::Cell::compartment() const (jsgc.h:482) ==26956== by 0x43C440: js::CompartmentChecker::check(JSObject*) (jscntxtinlines.h:554) ==26956== by 0x43C501: js::CompartmentChecker::check(js::Value const&) (jscntxtinlines.h:564) ==26956== by 0x4FC43D: js::CompartmentChecker::check(ValueArray const&) (jscntxtinlines.h:575) ==26956== by 0x4FD1E9: void js::assertSameCompartment<ValueArray>(JSContext*, ValueArray) (jscntxtinlines.h:626) ==26956== by 0x4FC4B3: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:685) ==26956== by 0x4F7B9E: js::Invoke(JSContext*, js::CallArgs const&, unsigned int) (jsinterp.cpp:704) ==26956== by 0x7123FC: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:196) ==26956== by 0x6F1452: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1048) ==26956== by 0x41AFCDD: ??? ==26956== by 0x68E1CB: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:744) ==26956== by 0x68E2F4: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:773) ==26956== Address 0x7fefff000 is not stack'd, malloc'd or (recently) free'd ==26956== *** Compartment mismatch 0x5e35340 vs. 0xbb492024 Assertion failure: compartment mismatched, at jscntxtinlines.h:530
Blocks: 643842
Disable the typed array ICs, which do things which the regalloc did not anticipate and need more thought to decide how to fix. http://hg.mozilla.org/projects/jaegermonkey/rev/17e44b678d36
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.