Last Comment Bug 655940 - TI: Crash [@ js::mjit::JaegerShot]
: TI: Crash [@ js::mjit::JaegerShot]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress 630996 650163
  Show dependency treegraph
Reported: 2011-05-09 21:51 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:34 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Gary Kwong [:gkw] [:nth10sd] 2011-05-09 21:51:30 PDT
function f0() {
    try {} catch(e) {}
for (i = 0; i < 9; i++) {
    new f0;

crashes js opt and debug shell on JM changeset 32e8c937a409 with -m, -j, -a and -n at js::mjit::JaegerShot when the testcase is passed in as a CLI argument.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68842:c963b24694cd
user:        Brian Hackett
date:        Mon May 09 07:12:47 2011 -0700
summary:     [INFER] Remove on stack recompilation, allow removed on stack JIT frames to rejoin into the interpreter, bug 650163.
Comment 1 User image Brian Hackett (:bhackett) 2011-05-10 08:39:51 PDT
Resurrected old issue where the interpreter would compile a function, then have the code be immediately discarded and crash while trying to enter the nonexistent JIT code.  Used to handle this by ensuring the topmost stack frame had a JIT after recompilation, but now that recompilation just discards code we can't rely on that.  The simple thing is to not force compilation in such cases and wait for the script to be called again or have another backedge taken.
Comment 2 User image Christian Holler (:decoder) 2013-01-19 14:34:45 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.