Closed Bug 643693 Opened 9 years ago Closed 9 years ago

TI: Crash @ [js::types::TypeCompartment::nukeTypes]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

The attached testcase (run with -n -m -a) crashes on TI tip (tested on 64 bit):

0x00000000004e41cf in js::types::TypeCompartment::nukeTypes (this=0xd85470, cx=0xd84be0) at jsinfer.cpp:1929
1929        *((int*)0) = 0;
(gdb) bt
#0  0x00000000004e41cf in js::types::TypeCompartment::nukeTypes (this=0xd85470, cx=0xd84be0) at jsinfer.cpp:1929
#1  0x00000000004e40dc in js::types::TypeCompartment::processPendingRecompiles (this=0xd85470, cx=0xd84be0) at jsinfer.cpp:1890
#2  0x0000000000414416 in js::types::TypeCompartment::checkPendingRecompiles (this=0xd85470, cx=0xd84be0) at ./jsinferinlines.h:185
#3  0x00000000004e4012 in js::types::TypeCompartment::dynamicPush (this=0xd85470, cx=0xd84be0, script=0xe007b0, offset=20, type=7) at jsinfer.cpp:1873
#4  0x0000000000457b18 in JSScript::typeMonitorResult (this=0xe007b0, cx=0xd84be0, pc=0xe00944 "�", type=7) at ./jsinferinlines.h:534
#5  0x00000000004fc79d in JSScript::typeMonitorUnknown (this=0xe007b0, cx=0xd84be0, pc=0xe00944 "�") at ./jsinferinlines.h:567
#6  0x00000000004f7377 in js_OnUnknownMethod (cx=0xd84be0, vp=0x7f277e5bf148) at jsinterp.cpp:558
#7  0x00000000006fbcb6 in js::mjit::ic::CallProp (f=@0x7fff47e7b100, pic=0xe13e48) at ./methodjit/PolyIC.cpp:1944
#8  0x00007f277e5bac8f in ?? ()
#9  0x00007f277e5af068 in ?? ()
#10 0x0000000000e15c30 in ?? ()
#11 0x0000000000000001 in ?? ()
#12 0x0000000000000000 in ?? ()


According to the source code, this is a controlled crash due to missing function implementation (FIXME).
Fixed by bug 643733 I think.  nukeTypes gets called if recompilation fails, which should only happen on OOM.  I haven't implemented this yet because I'm not sure yet the best approach, but also to catch cases like this where we try to destroy types in the compartment due to an unintended failure.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 676763
You need to log in before you can comment on or make changes to this bug.