1.93 KB, application/x-compressed-tar
Created attachment 523081 [details] shell testcase, unpack, chdir and run main.js with options "-n -m -a" The attached testcase (unpack, chdir and run main.js with -m -n -a) will crash on TI tip, tested on 64 bit. This looks like a GC related crash: ==1757== Invalid read of size 8 ==1757== at 0x4F4FE0: js::Invoke(JSContext*, js::CallArgs const&, unsigned int) (jsinterp.cpp:728) ==1757== by 0x71D88A: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:196) ==1757== by 0x6FC463: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1069) ==1757== by 0x41B3B50: ??? ==1757== by 0x68C53D: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:742) ==1757== by 0x68C666: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:771) ==1757== by 0x68C7DD: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:795) ==1757== by 0x4F4D06: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:682) ==1757== by 0x4F64A5: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1094) ==1757== by 0x43417D: JS_ExecuteScript (jsapi.cpp:5183) ==1757== by 0x406EC7: Load(JSContext*, unsigned int, jsval_layout*) (js.cpp:1069) ==1757== by 0x4F99BF: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:688) ==1757== Address 0xdadadadadadadb3a is not stack'd, malloc'd or (recently) free'd ==1757== ==1757== ==1757== Process terminating with default action of signal 11 (SIGSEGV)
Previously we recorded dependencies which JIT code has on type information with calls like 'types->getKnownTypeTag(cx, script)' where script is the one currently being compiled. This is a crap design when we are inlining frames, as it's super easy to incorrectly pass the inner script rather than the outermost one, record the dependencies wrong and get behavior like this (an inlined call thinks a GNAME is definitely a function which has already been collected). This fixes things by removing the script argument from the calls which record dependencies, and using an AutoEnterCompilation which wraps all such calls and records all dependencies on the outermost script. http://hg.mozilla.org/projects/jaegermonkey/rev/cc8882cb4cd4
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.