Last Comment Bug 709909 - [IncrementalGC] Crash [@ JSObject::finalize]
: [IncrementalGC] Crash [@ JSObject::finalize]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Mac OS X
-- critical (vote)
: ---
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz IncrementalGC
  Show dependency treegraph
Reported: 2011-12-12 12:10 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-01-04 16:55 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (6.27 KB, text/plain)
2011-12-12 12:10 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description User image Gary Kwong [:gkw] [:nth10sd] 2011-12-12 12:10:10 PST
Created attachment 581001 [details]

function tryItOut(code) {
    f = eval("(function(){" + code + "})");
function z(x, n) {
    for (;;) {
        x = {
            a: x
    for (l in [0]) {\

crashes js opt shell on larch changeset 341396ef32a8 with -m and -a at JSObject::finalize

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   81489:ca2d2123be37
user:        Bill McCloskey
date:        Thu Dec 08 17:38:53 2011 -0800
summary:     [INCREMENTAL] Fix bug 708741
Comment 1 User image Bill McCloskey (:billm) 2011-12-13 18:09:15 PST

This crashed for me, but with a different stack trace. However, it was a memory corruption bug, so I guess it's not surprising. I'm going to optimistically mark this as fixed. Gary, if you have time, you could backport this patch over the crashing revision and see if the crash goes away. However, I don't think that's strictly necessary.
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2011-12-14 15:15:10 PST
Most of the testcases crashing at this signature did not crash anymore with latest larch tip, so yes, I think this has been fixed.

Note You need to log in before you can comment on or make changes to this bug.