TI: Crash [@ js::StackFrame::isScriptFrame] or [@ js::mjit::Recompiler::recompile]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Trunk
x86
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 529335 [details]
stacks

function f(code) {
  try {
    Function(code)()
  } catch(r) {}
} {
  function x() {}
}
f("")
f("")
f("")
f("x::e")
if (typeof w == "") {}

crashes js opt shell on JM changeset 9723b731e828 with -m, -a and -n at js::mjit::Recompiler::recompile and crashes js debug shell at js::StackFrame::isScriptFrame when the testcase is passed in as a CLI argument to the shell.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68266:e2ac5bec56fb
user:        Brian Hackett
date:        Wed Apr 20 07:06:59 2011 -0700
summary:     [INFER] Don't inline calls from heavyweight or eval scripts, bug 651209.
Duplicate of this bug: 654001
Duplicate of this bug: 653981
The CompileFunction stub which we need to special case during recompilation did not clear its indicator value (f.scratch == COMPILE_FUNCTION_SCRATCH_VALUE) if it threw an exception, causing the recompiler to break later on.

http://hg.mozilla.org/projects/jaegermonkey/rev/3062ff7fef83
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::StackFrame::isScriptFrame] [@ js::mjit::Recompiler::recompile]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug653980.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.