Closed
Bug 805421
Opened 12 years ago
Closed 12 years ago
crash in js::ion::Cannon
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | affected |
People
(Reporter: martijn.martijn, Assigned: mjrosenb)
References
Details
(Keywords: crash, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
|
3.37 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-0aebea27-d8ea-4bf2-a56c-d6fee2121025 .
=============================================================
0 @0x5cdab000
1 libxul.so js::ion::Cannon Ion.cpp:1370
2 libxul.so js::RunScript jsinterp.cpp:301
3 libxul.so js::InvokeGetterOrSetter jsinterp.cpp:379
4 libxul.so js::GetPropertyHelper jsscopeinlines.h:295
5 libxul.so js::ion::GetPropertyCache IonCaches.cpp:764
6 @0x5c81a652
|
Reporter | |
Comment 1•12 years ago
|
||
This happens for in current trunk build on the Samsung Galaxy Nexus, just by loading http://people.mozilla.org/~mwargers/tests/layout/Morphing%20Clock.htm
|
||
Updated•12 years ago
|
|
|
Reporter | |
Comment 2•12 years ago
|
||
Seems to be wfm in current trunk build.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 3•12 years ago
|
||
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3ACannon%28JSContext*%2C+js%3A%3AStackFrame*%29
|
|
||
Updated•12 years ago
|
Crash Signature: [@ js::ion::Cannon(JSContext*, js::StackFrame*)] → [@ js::ion::Cannon(JSContext*, js::StackFrame*)]
[@ @0x0 | js::ion::Cannon(JSContext*, js::StackFrame*)]
|
Assignee | |
Comment 4•12 years ago
|
||
just looking at the backtrace, and the address that we crash at, I think I know what is wrong here. Patch should be coming soon.
|
|
Assignee | |
Comment 5•12 years ago
|
||
I discovered two more ways that we can execute code without going through a flusher. This fixes both of them. It is pretty simple, since the number of transitions from interpreter -> Ion is small
I should also apply a similar fix in the code that transitions to JM, since we can have the exact same issue on an Interp -> JM -> ion sequence
Attachment #685547 -
Flags: review?(dvander)
Comment on attachment 685547 [details] [diff] [review]
/home/mrosenberg/patches/moreFlushes-r0.patch
Review of attachment 685547 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/ion/Ion.cpp
@@ +1450,5 @@
> JSAutoResolveFlags rf(cx, RESOLVE_INFER);
> + AutoFlushCache *afc = cx->compartment->ionCompartment()->flusher();
> + cx->compartment->ionCompartment()->setFlusher(NULL);
> + if (afc)
> + afc->flushAnyway();
Do you also need this pattern around EnterMethodJIT, which can enter Ion code? Or is it only EnterIon?
(If it's needed at both places, I'd recommend folding this logic into an AutoForceFlushCache object.)
Attachment #685547 -
Flags: review?(dvander) → review+
|
||
Comment 7•12 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
|
||
Updated•12 years ago
|
Assignee: general → mrosenberg
|
|
||
Updated•12 years ago
|
status-firefox19:
--- → affected
|
|
||
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•