Last Comment Bug 653980 - TI: Crash [@ js::StackFrame::isScriptFrame] or [@ js::mjit::Recompiler::recompile]
: TI: Crash [@ js::StackFrame::isScriptFrame] or [@ js::mjit::Recompiler::recom...
Status: RESOLVED FIXED
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: general
:
:
Mentors:
: 653981 654001 (view as bug list)
Depends on:
Blocks: jsfunfuzz infer-regress 651209
  Show dependency treegraph
 
Reported: 2011-05-01 01:30 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:16 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stacks (5.65 KB, text/plain)
2011-05-01 01:30 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2011-05-01 01:30:38 PDT
Created attachment 529335 [details]
stacks

function f(code) {
  try {
    Function(code)()
  } catch(r) {}
} {
  function x() {}
}
f("")
f("")
f("")
f("x::e")
if (typeof w == "") {}

crashes js opt shell on JM changeset 9723b731e828 with -m, -a and -n at js::mjit::Recompiler::recompile and crashes js debug shell at js::StackFrame::isScriptFrame when the testcase is passed in as a CLI argument to the shell.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68266:e2ac5bec56fb
user:        Brian Hackett
date:        Wed Apr 20 07:06:59 2011 -0700
summary:     [INFER] Don't inline calls from heavyweight or eval scripts, bug 651209.
Comment 1 Brian Hackett (:bhackett) 2011-05-01 17:57:36 PDT
*** Bug 654001 has been marked as a duplicate of this bug. ***
Comment 2 Brian Hackett (:bhackett) 2011-05-01 18:01:30 PDT
*** Bug 653981 has been marked as a duplicate of this bug. ***
Comment 3 Brian Hackett (:bhackett) 2011-05-01 18:03:35 PDT
The CompileFunction stub which we need to special case during recompilation did not clear its indicator value (f.scratch == COMPILE_FUNCTION_SCRATCH_VALUE) if it threw an exception, causing the recompiler to break later on.

http://hg.mozilla.org/projects/jaegermonkey/rev/3062ff7fef83
Comment 4 Christian Holler (:decoder) 2013-01-14 08:16:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug653980.js.

Note You need to log in before you can comment on or make changes to this bug.