Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 769987 - Crash [@ js::mjit::JITScript::nativeToPC] or [@ js::mjit::JITScript::findCodeChunk]
: Crash [@ js::mjit::JITScript::nativeToPC] or [@ js::mjit::JITScript::findCode...
: crash, csectype-dos, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: mozilla16
Assigned To: Luke Wagner [:luke]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz 733950 767667
  Show dependency treegraph
Reported: 2012-06-30 22:16 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:37 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (12.26 KB, text/plain)
2012-06-30 22:16 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
fix and test (1.27 KB, patch)
2012-07-01 16:55 PDT, Luke Wagner [:luke]
bhackett1024: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-06-30 22:16:07 PDT
Created attachment 638169 [details]

function h(code) {
  f = Function(code);
function g() {

crashes js opt shell on m-c changeset d9d61d199b11 with -m and -a at js::mjit::JITScript::nativeToPC and crashes js debug shell at js::mjit::JITScript::findCodeChunk

s-s because this concerns gc.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-06-30 22:35:27 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   97976:d4ac6ac2e618
user:        Luke Wagner
date:        Thu Jun 28 22:50:15 2012 -0700
summary:     Bug 767667 - fix getelem on optimized arguments (r=bhackett)
Comment 2 Luke Wagner [:luke] 2012-07-01 16:55:13 PDT
Created attachment 638236 [details] [diff] [review]
fix and test

The bug is actually pre-existing, just much easier to trigger with bug 767667.

The bug is that HAS_PREVPC is not getting set when frames are being bailed from the VM.  It seems ExpandInlineFrames is necessary and not implied by Recompiler::clearStackReferences.  Brian: perhaps clearStackReferences should ExpandInlineFrames?  (I some call sites were dominated by ExpandInlineFrames, but not all.)
Comment 3 Brian Hackett (:bhackett) 2012-07-04 07:35:01 PDT
Comment on attachment 638236 [details] [diff] [review]
fix and test

Yeah, the recompiler stuff could use some streamlining.
Comment 5 Luke Wagner [:luke] 2012-07-04 10:51:14 PDT
Comment on attachment 638236 [details] [diff] [review]
fix and test

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 733950
User impact if declined: possible crash
Testing completed (on m-c, etc.): m-c
Risk to taking this patch (and alternatives if risky): very low
Comment 6 Luke Wagner [:luke] 2012-07-04 16:27:09 PDT
Comment 7 Alex Keybl [:akeybl] 2012-07-05 16:38:20 PDT
Comment on attachment 638236 [details] [diff] [review]
fix and test

[Triage Comment]
Very low risk fix for a regression in FF14. Approving for branches.
Comment 9 Christian Holler (:decoder) 2013-01-14 08:37:51 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug769987.js.

Note You need to log in before you can comment on or make changes to this bug.