TI: Crash [@ js::mjit::JaegerShot]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
NaN.__proto__;
function f0() {
    try {} catch(e) {}
}
for (i = 0; i < 9; i++) {
    new f0;
    f0();
    gc()
}

crashes js opt and debug shell on JM changeset 32e8c937a409 with -m, -j, -a and -n at js::mjit::JaegerShot when the testcase is passed in as a CLI argument.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   68842:c963b24694cd
user:        Brian Hackett
date:        Mon May 09 07:12:47 2011 -0700
summary:     [INFER] Remove on stack recompilation, allow removed on stack JIT frames to rejoin into the interpreter, bug 650163.
Resurrected old issue where the interpreter would compile a function, then have the code be immediately discarded and crash while trying to enter the nonexistent JIT code.  Used to handle this by ensuring the topmost stack frame had a JIT after recompilation, but now that recompilation just discards code we can't rely on that.  The simple thing is to not force compilation in such cases and wait for the script to be called again or have another backedge taken.

http://hg.mozilla.org/projects/jaegermonkey/rev/d6a536a03af1
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::JaegerShot]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.