The default bug view has changed. See this FAQ.

[IncrementalGC] Crash [@ JSObject::finalize]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: billm)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Other Branch
x86_64
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 581001 [details]
stack

function tryItOut(code) {
    f = eval("(function(){" + code + "})");
    f()
}
function z(x, n) {
    for (;;) {
        x = {
            a: x
        };
    }
}
tryItOut("\
    for (l in [0]) {\
        z()\
    }\
");


crashes js opt shell on larch changeset 341396ef32a8 with -m and -a at JSObject::finalize

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   81489:ca2d2123be37
user:        Bill McCloskey
date:        Thu Dec 08 17:38:53 2011 -0800
summary:     [INCREMENTAL] Fix bug 708741
(Assignee)

Comment 1

5 years ago
https://hg.mozilla.org/projects/larch/rev/43f95de7b6b8

This crashed for me, but with a different stack trace. However, it was a memory corruption bug, so I guess it's not surprising. I'm going to optimistically mark this as fixed. Gary, if you have time, you could backport this patch over the crashing revision and see if the crash goes away. However, I don't think that's strictly necessary.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 2

5 years ago
Most of the testcases crashing at this signature did not crash anymore with latest larch tip, so yes, I think this has been fixed.
(Reporter)

Updated

5 years ago
Crash Signature: [@ JSObject::finalize]
You need to log in before you can comment on or make changes to this bug.