Last Comment Bug 653980 - TI: Crash [@ js::StackFrame::isScriptFrame] or [@ js::mjit::Recompiler::recompile]
: TI: Crash [@ js::StackFrame::isScriptFrame] or [@ js::mjit::Recompiler::recom...
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
: 653981 654001 (view as bug list)
Depends on:
Blocks: jsfunfuzz infer-regress 651209
  Show dependency treegraph
Reported: 2011-05-01 01:30 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:16 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stacks (5.65 KB, text/plain)
2011-05-01 01:30 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description User image Gary Kwong [:gkw] [:nth10sd] 2011-05-01 01:30:38 PDT
Created attachment 529335 [details]

function f(code) {
  try {
  } catch(r) {}
} {
  function x() {}
if (typeof w == "") {}

crashes js opt shell on JM changeset 9723b731e828 with -m, -a and -n at js::mjit::Recompiler::recompile and crashes js debug shell at js::StackFrame::isScriptFrame when the testcase is passed in as a CLI argument to the shell.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68266:e2ac5bec56fb
user:        Brian Hackett
date:        Wed Apr 20 07:06:59 2011 -0700
summary:     [INFER] Don't inline calls from heavyweight or eval scripts, bug 651209.
Comment 1 User image Brian Hackett (:bhackett) 2011-05-01 17:57:36 PDT
*** Bug 654001 has been marked as a duplicate of this bug. ***
Comment 2 User image Brian Hackett (:bhackett) 2011-05-01 18:01:30 PDT
*** Bug 653981 has been marked as a duplicate of this bug. ***
Comment 3 User image Brian Hackett (:bhackett) 2011-05-01 18:03:35 PDT
The CompileFunction stub which we need to special case during recompilation did not clear its indicator value (f.scratch == COMPILE_FUNCTION_SCRATCH_VALUE) if it threw an exception, causing the recompiler to break later on.
Comment 4 User image Christian Holler (:decoder) 2013-01-14 08:16:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug653980.js.

Note You need to log in before you can comment on or make changes to this bug.