Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 679094 - Crash [@ JSScript::isEmpty] // GC related corruption
: Crash [@ JSScript::isEmpty] // GC related corruption
js-triage-needed [qa-]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-08-15 12:47 PDT by Christian Holler (:decoder)
Modified: 2015-10-07 18:43 PDT (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Christian Holler (:decoder) 2011-08-15 12:47:57 PDT
The following test crashes, tested on TI revision 8e7da0684155 (options -j -m -n -a -Z 2):

var TIME_0000  = (function () {  })();
function getTimeZoneDiff() {}

Seems to be a GC related problem that causes a waste amount of different crashes. Must be recently introduced during merge with m-c.
Comment 1 Brian Hackett (:bhackett) 2011-08-15 18:59:56 PDT
This is a GC hazard, but it looks like it came in on the merge from jsdbg2 and not as a result of a merge botch.  When defining the globals in a top level script, we would root the script's binding info (primarily its empty shape), but nothing else.  This used to be OK as the script has not had its u.object created yet and is invulnerable to GCs, but now the u.object is created earlier (for the debugger newScript hook) so the script itself can be collected while defining globals.

jorendorff, is there something that should be keeping the script rooted here that I missed?  If not, this should go on m-c now I think.
Comment 2 Christian Holler (:decoder) 2011-08-15 21:59:57 PDT
Ccing clegnitto and chofmann on this, as I can confirm this affects mozilla-central (confirmed with testcase from comment 0 on revision f597467fac5e (debug build) with options "-j -m -Z 2").
Comment 3 chris hofmann 2011-08-15 22:04:34 PDT
yeah, we should get this fixed on mozilla-central and aurora if the change ends up there after the war room work tomorrow.
Comment 4 Gary Kwong [:gkw] [:nth10sd] 2011-08-16 01:17:21 PDT
(In reply to Christian Holler (:decoder) from comment #0)
> Seems to be a GC related problem that causes a waste amount of different
> crashes. Must be recently introduced during merge with m-c.

fwiw, I see this too, autoBisect pointing to the m-c merge as well.
Comment 5 Jason Orendorff [:jorendorff] 2011-08-16 04:57:10 PDT
I was never able to reproduce this, but I pushed bhackett's fix, which seems obviously correct per comment 1.
Comment 6 Daniel Veditz [:dveditz] 2011-10-10 14:08:12 PDT
This landed before the merge on 8-16 and is in the Firefox 8 beta repo already.
Comment 7 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-10-13 10:51:42 PDT
qa- as nothing to do for QA fix verification -- please set to qa+ if this is not the case.

Note You need to log in before you can comment on or make changes to this bug.