Closed
Bug 646587
Opened 14 years ago
Closed 14 years ago
TI: GC related Crash [@ js::Invoke]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
1.93 KB,
application/x-compressed-tar
|
Details |
The attached testcase (unpack, chdir and run main.js with -m -n -a) will crash on TI tip, tested on 64 bit. This looks like a GC related crash: ==1757== Invalid read of size 8 ==1757== at 0x4F4FE0: js::Invoke(JSContext*, js::CallArgs const&, unsigned int) (jsinterp.cpp:728) ==1757== by 0x71D88A: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:196) ==1757== by 0x6FC463: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1069) ==1757== by 0x41B3B50: ??? ==1757== by 0x68C53D: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:742) ==1757== by 0x68C666: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:771) ==1757== by 0x68C7DD: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:795) ==1757== by 0x4F4D06: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:682) ==1757== by 0x4F64A5: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1094) ==1757== by 0x43417D: JS_ExecuteScript (jsapi.cpp:5183) ==1757== by 0x406EC7: Load(JSContext*, unsigned int, jsval_layout*) (js.cpp:1069) ==1757== by 0x4F99BF: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, js::Value*), unsigned int, js::Value*) (jscntxtinlines.h:688) ==1757== Address 0xdadadadadadadb3a is not stack'd, malloc'd or (recently) free'd ==1757== ==1757== ==1757== Process terminating with default action of signal 11 (SIGSEGV)
Comment 1•14 years ago
|
||
Previously we recorded dependencies which JIT code has on type information with calls like 'types->getKnownTypeTag(cx, script)' where script is the one currently being compiled. This is a crap design when we are inlining frames, as it's super easy to incorrectly pass the inner script rather than the outermost one, record the dependencies wrong and get behavior like this (an inlined call thinks a GNAME is definitely a function which has already been collected). This fixes things by removing the script argument from the calls which record dependencies, and using an AutoEnterCompilation which wraps all such calls and records all dependencies on the outermost script. http://hg.mozilla.org/projects/jaegermonkey/rev/cc8882cb4cd4
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::Invoke]
You need to log in
before you can comment on or make changes to this bug.
Description
•