Closed
Bug 771168
Opened 12 years ago
Closed 12 years ago
Assertion failure: isScriptFrame(), at ../../vm/Stack.h:605 or Opt Crash [@ AssertJit]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [js:t] [jsbugmon:])
Crash Data
The following test asserts/crashes on mozilla-central revision b6aa44d8f11f (options -m -a):
newGlobal("new-compartment").assertJit();
Opt-crash trace:
==14000== Invalid read of size 8
==14000== at 0x40512A: AssertJit(JSContext*, unsigned int, JS::Value*) (jsscript.h:677)
==14000== by 0x49B2EC: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:400)
==14000== by 0x49B9EB: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:119)
==14000== by 0x4DE744: js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:441)
==14000== by 0x54AC94: js::DirectWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jswrapper.cpp:303)
==14000== by 0x54F9C5: js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jswrapper.cpp:699)
==14000== by 0x4DFD56: proxy_Call(JSContext*, unsigned int, JS::Value*) (jsproxy.cpp:1134)
==14000== by 0x49B482: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:400)
==14000== by 0x691B52: js::mjit::stubs::SlowCall(js::VMFrame&, unsigned int) (InvokeHelpers.cpp:133)
==14000== by 0x67D677: js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:1013)
==14000== by 0x403257C: ???
==14000== by 0x6030B0: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1016)
==14000== Address 0x50 is not stack'd, malloc'd or (recently) free'd
Could be just a problem with the assertJit function in the shell.
|
||
Updated•12 years ago
|
Whiteboard: js-triage-needed [jsbugmon:update] → [js:t][jsbugmon:update]
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t][jsbugmon:update] → [js:t] [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 1•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f077de66e52d).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t] [jsbugmon:update,ignore] → [js:t] [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:t] [jsbugmon:bisectfix] → [js:t] [jsbugmon:]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 103262:986c07b3f3e6 user: Luke Wagner date: Fri Aug 17 18:05:06 2012 -0700 summary: Bug 625199 - kill dummy frames (r=mrbkap)
|
||
Comment 3•12 years ago
|
||
You're right, it is a test-only failure. We should remove AssertJit sometime... with TI it has little meaning. https://hg.mozilla.org/integration/mozilla-inbound/rev/c47ec3f2e777
|
||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c47ec3f2e777
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
|
|
Reporter | |
Updated•11 years ago
|
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•