Closed Bug 679461 Opened 13 years ago Closed 13 years ago

TI: Crash with testcase on Windows 7 involving trap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase) 

function g() {
    var f
    f = eval("(function(){})")
    trap(f, 0, '')
    f()
}
g("");
gc()

crashes js debug shell on JM changeset 74bfd74ca289 with -m, -a and -d. Because it's on Windows, I don't yet have a stack.
When destroying a script with traps on it the debugger tries to recompile the script, and can do so while in GC (triggering a crash when cx->compartment is accessed).  Will fix this when merging the bug 674251 patch to JM, which changes how the code in this area works.
Get this out of the way until bug 674251 goes in.  When destroying a script, release JIT code for it first so that the debugger hook doesn't try to recompile it.

http://hg.mozilla.org/projects/jaegermonkey/rev/6c8e0affe03e
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
This changeset regressed SS on AWFY by, well, a lot.
Oops, thanks for noticing.  This was causing jitcode to be released from scripts still in the eval cache, and ss-date-format-tofte (which depends heavily on this cache) was repeatedly recompiling those scripts.

http://hg.mozilla.org/projects/jaegermonkey/rev/b61af4d7dc7c
You need to log in before you can comment on or make changes to this bug.