Closed Bug 660850 Opened 14 years ago Closed 14 years ago

TI: Crash [@ js::mjit::JITScript::nativeToPC]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

stack
1.96 KB, text/plain
Details
The attached testcase in the next comment crashes js debug shell on JM changeset 0cc71b0c30f4 with -m, -a and -n at js::mjit::JITScript::nativeToPC
Attached file stack
debug stack on Linux
The root problem here is that CompileFunction did not respect several invariants used in other call paths to make sure we are able to recompile a caller while in the middle of compiling its callee. The VMFrame's regs were incorrect, the callee frame was being pushed onto f.regs inappropriately, the writes to ncode happened differently. Other places in the recompiler code were hacking around this already, but these were incomplete. Rather than pile more complexity onto CompileFunction, the fix below guts it so that it just pops the partially initialized frame and invokes UncachedNew/UncachedCall (a fix I've wanted to do for some time). http://hg.mozilla.org/projects/jaegermonkey/rev/750eb028fb06
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::JITScript::nativeToPC]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: