Closed Bug 655940 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::mjit::JaegerShot]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Crash Data

NaN.__proto__;
function f0() {
    try {} catch(e) {}
}
for (i = 0; i < 9; i++) {
    new f0;
    f0();
    gc()
}

crashes js opt and debug shell on JM changeset 32e8c937a409 with -m, -j, -a and -n at js::mjit::JaegerShot when the testcase is passed in as a CLI argument.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68842:c963b24694cd
user:        Brian Hackett
date:        Mon May 09 07:12:47 2011 -0700
summary:     [INFER] Remove on stack recompilation, allow removed on stack JIT frames to rejoin into the interpreter, bug 650163.
Resurrected old issue where the interpreter would compile a function, then have the code be immediately discarded and crash while trying to enter the nonexistent JIT code.  Used to handle this by ensuring the topmost stack frame had a JIT after recompilation, but now that recompilation just discards code we can't rely on that.  The simple thing is to not force compilation in such cases and wait for the script to be called again or have another backedge taken.

http://hg.mozilla.org/projects/jaegermonkey/rev/d6a536a03af1
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::JaegerShot]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.