Last Comment Bug 709909 - [IncrementalGC] Crash [@ JSObject::finalize]
: [IncrementalGC] Crash [@ JSObject::finalize]
Status: RESOLVED FIXED
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: Bill McCloskey (:billm)
:
Mentors:
Depends on:
Blocks: jsfunfuzz IncrementalGC
  Show dependency treegraph
 
Reported: 2011-12-12 12:10 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-01-04 16:55 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (6.27 KB, text/plain)
2011-12-12 12:10 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2011-12-12 12:10:10 PST
Created attachment 581001 [details]
stack

function tryItOut(code) {
    f = eval("(function(){" + code + "})");
    f()
}
function z(x, n) {
    for (;;) {
        x = {
            a: x
        };
    }
}
tryItOut("\
    for (l in [0]) {\
        z()\
    }\
");


crashes js opt shell on larch changeset 341396ef32a8 with -m and -a at JSObject::finalize

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   81489:ca2d2123be37
user:        Bill McCloskey
date:        Thu Dec 08 17:38:53 2011 -0800
summary:     [INCREMENTAL] Fix bug 708741
Comment 1 Bill McCloskey (:billm) 2011-12-13 18:09:15 PST
https://hg.mozilla.org/projects/larch/rev/43f95de7b6b8

This crashed for me, but with a different stack trace. However, it was a memory corruption bug, so I guess it's not surprising. I'm going to optimistically mark this as fixed. Gary, if you have time, you could backport this patch over the crashing revision and see if the crash goes away. However, I don't think that's strictly necessary.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-12-14 15:15:10 PST
Most of the testcases crashing at this signature did not crash anymore with latest larch tip, so yes, I think this has been fixed.

Note You need to log in before you can comment on or make changes to this bug.