Segmentation fault in js::analyze::ScriptAnalysis::analyzeBytecode

RESOLVED DUPLICATE of bug 816368

Status

()

RESOLVED DUPLICATE of bug 816368
6 years ago
6 years ago

People

(Reporter: philippovmi, Unassigned)

Tracking

20 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 686579 [details]
Full stack

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20121129 Firefox/20.0
Build ID: 20121129180705

Steps to reproduce:

I've built Firefox from trunk and started it.


Actual results:

It has crushed with segmentation fault after several seconds of work. Here's the top of the stack:

#0  0x00007ffff5600e7e in debugMode (this=0xa00000000b80c41) at /home/maxim/projects/mozilla/js/src/jscompartment.h:462
#1  js::analyze::ScriptAnalysis::analyzeBytecode (this=0x7fffc92f1258, cx=0x7fffc6728480) at /home/maxim/projects/mozilla/js/src/jsanalyze.cpp:142
#2  0x00007ffff52cea95 in JSScript::makeAnalysis (this=0x7fffc675a280, cx=0x7fffc6728480) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:5549
#3  0x00007ffff52e09a7 in ensureRanAnalysis (cx=<optimized out>, this=0x7fffc675a280) at /home/maxim/projects/mozilla/js/src/jsinferinlines.h:1717
#4  AnalyzeNewScriptProperties (cx=<optimized out>, type=0x7fffbe72bdc0, fun=<optimized out>, pbaseobj=..., initializerList=0x7fffffff78e0)
    at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:4654
#5  0x00007ffff52e0f98 in CheckNewScriptProperties (cx=0x7fffc6728480, type=..., fun=0x7fffc450c7c0) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:4964
#6  0x00007ffff52e1853 in JSCompartment::getNewType (this=<optimized out>, cx=<optimized out>, proto_=..., fun_=0x7fffc450c7c0, isDOM=false)
    at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:5888
#7  0x00007ffff532063d in js_CreateThisForFunctionWithProto (cx=0x7fffc6728480, callee=..., proto=<optimized out>) at /home/maxim/projects/mozilla/js/src/jsobj.cpp:2359

full stack is in the `ff.stack' attachment. This crush doesn't occur in a safe mode, but even when I disable all plugins, the problem still appears.

Looks like JS::shadow::compartment (notice `this' address) member is not initialized, probably because js::gc::ArenaHeader::init wasn't called, though in other ways ArenaHeader (as computed from js::gc::Cell address) looks valid.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 816368
You need to log in before you can comment on or make changes to this bug.