Closed Bug 728609 Opened 14 years ago Closed 13 years ago

[IncrementalGC] Crash [@ js::mjit::JITScript::chunkIndex]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla13
Tracking Flags:
Tracking Status
firefox13 --- verified

People

(Reporter: decoder, Assigned: billm)

References

Details

(Keywords: crash, testcase, Whiteboard: [qa!])

Crash Data

Attachments

(1 file)

patch
2.26 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
The following test crashes on larch branch (incremental GC) revision 1b4a30320120 (options -m -n -a): var lfcode = new Array(); lfcode.push("\ test();\ function test() {\ function removeAllProperties(o) {\ bar() = thaw, patterns;\ }\ var o = {};\ o.first = { toSource: function() { removeAllProperties(o); } };\ return o.toSource();\ }\ "); lfcode.push("test();"); gczeal(4); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file); } function loadFile(lfVarx) { try { evaluate(lfVarx); } catch (lfVare) { } } Crash Trace: Program received signal SIGSEGV, Segmentation fault. 0x000000000046079a in js::mjit::JITScript::chunkIndex (this=0x0, pc=0xb7228f ":") at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.h:818 818 unsigned offset = pc - script->code; (gdb) bt 8 #0 0x000000000046079a in js::mjit::JITScript::chunkIndex (this=0x0, pc=0xb7228f ":") at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.h:818 #1 0x000000000046087b in js::mjit::JITScript::chunk (this=0x0, pc=0xb7228f ":") at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.h:831 #2 0x0000000000734da8 in js::VMFrame::chunk (this=0x7fffffff93a0) at ../methodjit/MethodJIT.h:969 #3 0x00000000007364dc in CallCompiler::disable (this=0x7fffffff9360) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MonoIC.cpp:584 #4 0x00000000007384c3 in CallCompiler::update (this=0x7fffffff9360) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MonoIC.cpp:972 #5 0x00000000007334ba in js::mjit::ic::Call (f=..., ic=0xb78f98) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MonoIC.cpp:1018 #6 0x000000000069a48e in JaegerTrampolineReturn () at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.cpp:160 #7 0x000000000069a79e in js::mjit::EnterMethodJIT (cx=0xb6cb30, fp=0x7ffff0beb270, code=0x7ffff7f48cd0, stackLimit=0x7ffff0fcb000, partial=false) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.cpp:1053 #8 0x000000000069aa14 in CheckStackAndEnterMethodJIT (cx=0xb6cb30, fp=0x7ffff0beb270, code=0x7ffff7f48cd0, partial=false) at /home/ownhero/homes/mozilla/repos/larch/js/src/methodjit/MethodJIT.cpp:1112 Might be related to bug 728506.
Attached patch patchSplinter Review
I was incrementing the gcNumber is StartVerifyBarriers, but not in EndVerifyBarriers, even though they both discard jit code.
Attachment #600120 - Flags: review?(bhackett1024)
Attachment #600120 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/51c51a451762
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [qa+]
Ubuntu 11.10 64bit Build: mozilla-beta-5f412ea09aba I built Jaegermonkey and ran the test from comment #0: no crash/assertion/failure occured. Marking verified for firefox 13.
Status: RESOLVED → VERIFIED
status-firefox13: fixedverified
Whiteboard: [qa+] → [qa!]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug728609.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: