Closed
Bug 741207
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::StackFrame::updateEpilogueFlags]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 743096
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on ionmonkey revision e96d5b1f47b8 (run with --ion -n -m --ion-eager): var i = -1; var j = -1; var s = ''; var f = ''; evaluate("\ function f() {\ var obj = {\ p0:0, p1:1, p2:2, p3:3, p4:4, p5:5, p6:6, p7:7, p8:8, p9:9, \ p10:0, p11:1, p12:2, p13:3, p14:4, p15:5, p16:6, p17:7, p18:8, p19:9, \ };\ }\ actual = f();\ ");
Reporter | ||
Comment 1•12 years ago
|
||
Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x000000000066bf6b in js::StackFrame::updateEpilogueFlags (this=0x7ffff69421d0) at ../vm/Stack-inl.h:420 420 script()->nesting()->activeFrames++; (gdb) bt #0 0x000000000066bf6b in js::StackFrame::updateEpilogueFlags (this=0x7ffff69421d0) at ../vm/Stack-inl.h:420 #1 0x000000000071f8cf in EnterIon (cx=0xa32d30, fp=0x7ffff69421d0, jitcode=0x7ffff7fb6a20) at /srv/repos/ionmonkey/js/src/ion/Ion.cpp:975 #2 0x000000000071fab0 in js::ion::Cannon (cx=0xa32d30, fp=0x7ffff69421d0, newType=false) at /srv/repos/ionmonkey/js/src/ion/Ion.cpp:1000 #3 0x00000000004f4237 in js::Interpret (cx=0xa32d30, entryFrame=0x7ffff6942148, interpMode=js::JSINTERP_NORMAL) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:2785 #4 0x00000000004e6e43 in js::RunScript (cx=0xa32d30, script=0x7ffff6707350, fp=0x7ffff6942148) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:480 #5 0x00000000004e7a3a in js::ExecuteKernel (cx=0xa32d30, script=0x7ffff6707350, scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=0x0, result=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:678 #6 0x00000000004e7c48 in js::Execute (cx=0xa32d30, script=0x7ffff6707350, scopeChainArg=..., rval=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:720 #7 0x000000000043efd9 in EvaluateUCScriptForPrincipalsCommon (cx=0xa32d30, obj=0x7ffff6703060, principals=0x0, originPrincipals=0x0, chars=0xa41de0, length=199, filename=0x80fa28 "@evaluate", lineno=0, rval=0x7ffff6942120, compileVersion=JSVERSION_ECMA_5) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5277 #8 0x000000000043f098 in JS_EvaluateUCScriptForPrincipals (cx=0xa32d30, obj=0x7ffff6703060, principals=0x0, chars=0xa41de0, length=199, filename=0x80fa28 "@evaluate", lineno=0, rval=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5288 #9 0x000000000043f257 in JS_EvaluateUCScript (cx=0xa32d30, obj=0x7ffff6703060, chars=0xa41de0, length=199, filename=0x80fa28 "@evaluate", lineno=0, rval=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/jsapi.cpp:5322 #10 0x0000000000407c3f in Evaluate (cx=0xa32d30, argc=1, vp=0x7ffff6942120) at /srv/repos/ionmonkey/js/src/shell/js.cpp:871 #11 0x00000000004e117d in js::CallJSNative (cx=0xa32d30, native=0x407ad0 <Evaluate(JSContext*, unsigned int, jsval*)>, args=...) at ../jscntxtinlines.h:314 #12 0x00000000004e71af in js::InvokeKernel (cx=0xa32d30, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:524 #13 0x00000000004f3a97 in js::Interpret (cx=0xa32d30, entryFrame=0x7ffff69420b0, interpMode=js::JSINTERP_BAILOUT) at /srv/repos/ionmonkey/js/src/jsinterp.cpp:2725 #14 0x00000000007e7f76 in js::ion::ThunkToInterpreter (vp=0x7fffffffd5e8) at /srv/repos/ionmonkey/js/src/ion/Bailouts.cpp:597 #15 0x00007ffff7fb6639 in ?? ()
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update]
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 67bf9a4a1f77).
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 3•12 years ago
|
||
Bisect shows: The first good revision is: changeset: 92558:e57e79302ed6 user: Nicolas Pierron date: Mon Apr 09 18:40:37 2012 -0700 summary: InitProp: Fix dynamic slot index. (Bug 743096, r=sstangl) pierron, can I close this bug as dup?
Comment 4•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > pierron, can I close this bug as dup? Yes.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 5•11 years ago
|
||
A testcase for this bug was already added in the original bug (bug 743096).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•