As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 679094 - Crash [@ JSScript::isEmpty] // GC related corruption
: Crash [@ JSScript::isEmpty] // GC related corruption
js-triage-needed [qa-]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-08-15 12:47 PDT by Christian Holler (:decoder)
Modified: 2015-10-07 18:43 PDT (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2011-08-15 12:47:57 PDT
The following test crashes, tested on TI revision 8e7da0684155 (options -j -m -n -a -Z 2):

var TIME_0000  = (function () {  })();
function getTimeZoneDiff() {}

Seems to be a GC related problem that causes a waste amount of different crashes. Must be recently introduced during merge with m-c.
Comment 1 User image Brian Hackett (:bhackett) 2011-08-15 18:59:56 PDT
This is a GC hazard, but it looks like it came in on the merge from jsdbg2 and not as a result of a merge botch.  When defining the globals in a top level script, we would root the script's binding info (primarily its empty shape), but nothing else.  This used to be OK as the script has not had its u.object created yet and is invulnerable to GCs, but now the u.object is created earlier (for the debugger newScript hook) so the script itself can be collected while defining globals.

jorendorff, is there something that should be keeping the script rooted here that I missed?  If not, this should go on m-c now I think.
Comment 2 User image Christian Holler (:decoder) 2011-08-15 21:59:57 PDT
Ccing clegnitto and chofmann on this, as I can confirm this affects mozilla-central (confirmed with testcase from comment 0 on revision f597467fac5e (debug build) with options "-j -m -Z 2").
Comment 3 User image chris hofmann 2011-08-15 22:04:34 PDT
yeah, we should get this fixed on mozilla-central and aurora if the change ends up there after the war room work tomorrow.
Comment 4 User image Gary Kwong [:gkw] [:nth10sd] 2011-08-16 01:17:21 PDT
(In reply to Christian Holler (:decoder) from comment #0)
> Seems to be a GC related problem that causes a waste amount of different
> crashes. Must be recently introduced during merge with m-c.

fwiw, I see this too, autoBisect pointing to the m-c merge as well.
Comment 5 User image Jason Orendorff [:jorendorff] 2011-08-16 04:57:10 PDT
I was never able to reproduce this, but I pushed bhackett's fix, which seems obviously correct per comment 1.
Comment 6 User image Daniel Veditz [:dveditz] 2011-10-10 14:08:12 PDT
This landed before the merge on 8-16 and is in the Firefox 8 beta repo already.
Comment 7 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-10-13 10:51:42 PDT
qa- as nothing to do for QA fix verification -- please set to qa+ if this is not the case.

Note You need to log in before you can comment on or make changes to this bug.