Closed
Bug 679094
Opened 12 years ago
Closed 12 years ago
Crash [@ JSScript::isEmpty] // GC related corruption
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox7 | --- | unaffected |
| firefox8 | + | fixed |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: js-triage-needed [qa-])
Crash Data
The following test crashes, tested on TI revision 8e7da0684155 (options -j -m -n -a -Z 2):
var TIME_0000 = (function () { })();
function getTimeZoneDiff() {}
Seems to be a GC related problem that causes a waste amount of different crashes. Must be recently introduced during merge with m-c.
|
||
Comment 1•12 years ago
|
||
This is a GC hazard, but it looks like it came in on the merge from jsdbg2 and not as a result of a merge botch. When defining the globals in a top level script, we would root the script's binding info (primarily its empty shape), but nothing else. This used to be OK as the script has not had its u.object created yet and is invulnerable to GCs, but now the u.object is created earlier (for the debugger newScript hook) so the script itself can be collected while defining globals. jorendorff, is there something that should be keeping the script rooted here that I missed? If not, this should go on m-c now I think. http://hg.mozilla.org/projects/jaegermonkey/rev/74bfd74ca289
|
||
Updated•12 years ago
|
Group: core-security
|
Reporter | |
Comment 2•12 years ago
|
||
Ccing clegnitto and chofmann on this, as I can confirm this affects mozilla-central (confirmed with testcase from comment 0 on revision f597467fac5e (debug build) with options "-j -m -Z 2").
|
|
Reporter | |
Updated•12 years ago
|
Summary: TI: Crash [@ JSScript::isEmpty] // GC related corruption → Crash [@ JSScript::isEmpty] // GC related corruption
|
||
Comment 3•12 years ago
|
||
yeah, we should get this fixed on mozilla-central and aurora if the change ends up there after the war room work tomorrow.
tracking-firefox8:
--- → ?
|
||
Comment 4•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #0) > Seems to be a GC related problem that causes a waste amount of different > crashes. Must be recently introduced during merge with m-c. fwiw, I see this too, autoBisect pointing to the m-c merge as well.
|
|
||
Comment 5•12 years ago
|
||
I was never able to reproduce this, but I pushed bhackett's fix, which seems obviously correct per comment 1. http://hg.mozilla.org/mozilla-central/rev/7027d3788076
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 6•12 years ago
|
||
This landed before the merge on 8-16 and is in the Firefox 8 beta repo already.
status-firefox7:
--- → unaffected
status-firefox8:
--- → fixed
Keywords: regression,
regressionwindow-wanted
|
|
||
Updated•12 years ago
|
Group: core-security
qa- as nothing to do for QA fix verification -- please set to qa+ if this is not the case.
Whiteboard: js-triage-needed → js-triage-needed [qa-]
|
||
Updated•8 years ago
|
Keywords: regressionwindow-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•