Closed
Bug 842025
Opened 12 years ago
Closed 12 years ago
crash in js::ion::IonBuilder::getTypedArrayLength
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 841462
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | + | fixed |
People
(Reporter: scoobidiver, Unassigned)
References
()
Details
(Keywords: crash, regression, reproducible)
Crash Data
Attachments
(2 files)
|
277 bytes,
application/javascript
|
Details | |
|
1.12 KB,
patch
|
Details | Diff | Splinter Review |
It first showed up in 21.0a1/20130215. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aceeea086ccb&tochange=953b1db7a246
Signature js::ion::IonBuilder::getTypedArrayLength(js::ion::MDefinition*) More Reports Search
UUID 63f11f83-523f-4d74-a90e-aa35c2130216
Date Processed 2013-02-16 12:52:16
Uptime 40
Last Crash 7.8 minutes before submission
Install Age 20.4 hours since version was first installed.
Install Time 2013-02-15 16:28:00
Product Firefox
Version 21.0a1
Build ID 20130215031040
Release Channel nightly
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info AuthenticAMD family 16 model 10 stepping 0
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x38
User Comments http://www.scirra.com/labs/raindemo/
App Notes
AdapterVendorID: 0x10de, AdapterDeviceID: 0x11c6, AdapterSubsysID: 35571458, AdapterDriverVersion: 9.18.13.1396
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+
Processor Notes sp-processor04.phx1.mozilla.com_18912:2008
EMCheckCompatibility True
Adapter Vendor ID 0x10de
Adapter Device ID 0x11c6
Total Virtual Memory 4294836224
Available Virtual Memory 3699724288
System Memory Use Percentage 36
Available Page File 2889662464
Available Physical Memory 2708045824
Frame Module Signature Source
0 mozjs.dll js::ion::IonBuilder::getTypedArrayLength js/src/ion/IonBuilder.cpp:5441
1 mozjs.dll js::ion::IonBuilder::jsop_getelem_typed js/src/ion/IonBuilder.cpp:5512
2 mozjs.dll js::ion::IonBuilder::jsop_getelem js/src/ion/IonBuilder.cpp:5302
3 mozjs.dll js::ion::IonBuilder::inspectOpcode js/src/ion/IonBuilder.cpp:1016
4 mozjs.dll js::ion::IonBuilder::traverseBytecode js/src/ion/IonBuilder.cpp:687
5 mozjs.dll js::ion::IonBuilder::buildInline js/src/ion/IonBuilder.cpp:486
6 mozjs.dll js::ion::IonBuilder::inlineScriptedCall js/src/ion/IonBuilder.cpp:2910
7 mozjs.dll js::ion::IonBuilder::inlineScriptedCalls js/src/ion/IonBuilder.cpp:3391
8 mozjs.dll js::ion::IonBuilder::jsop_call js/src/ion/IonBuilder.cpp:4031
9 mozjs.dll js::ion::IonBuilder::inspectOpcode js/src/ion/IonBuilder.cpp:940
...
22 mozjs.dll js::ion::IonBuilder::traverseBytecode js/src/ion/IonBuilder.cpp:687
23 mozjs.dll js::ion::IonBuilder::build js/src/ion/IonBuilder.cpp:349
24 mozjs.dll js::ion::SequentialCompileContext::compile js/src/ion/Ion.cpp:1223
25 mozjs.dll js::ion::IonCompile<js::ion::SequentialCompileContext> js/src/ion/Ion.cpp:1184
26 mozjs.dll js::ion::Compile<js::ion::SequentialCompileContext> js/src/ion/Ion.cpp:1398
27 mozjs.dll js::ion::CanEnter js/src/ion/Ion.cpp:1498
28 mozjs.dll js::mjit::stubs::TriggerIonCompile js/src/methodjit/StubCalls.cpp:812
29 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1042
30 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:1100
31 mozjs.dll js::Interpret js/src/jsinterp.cpp:1375
32 mozjs.dll js::RunScript js/src/jsinterp.cpp:316
33 mozjs.dll mozjs.dll@0x5da00
34 @0x11b00000
35 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1042
36 mozjs.dll js::ion::Compile<js::ion::SequentialCompileContext> js/src/ion/Ion.cpp:1371
37 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:1100
...
More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3AIonBuilder%3A%3AgetTypedArrayLength%28js%3A%3Aion%3A%3AMDefinition*%29
|
||
Comment 2•12 years ago
|
||
Maybe this is related to Bug 837076
|
||
Comment 3•12 years ago
|
||
Looks like during inlining of functions, we sometimes end up with code where we infer as a typed array read, but the constant value we are accessing is |undefined| and not a typed array.
|
|
||
Comment 4•12 years ago
|
||
|
||
Comment 6•12 years ago
|
||
Yeah, we'll generate the typed array accesses if the value is guaranteed to be a typed array provided it is an object. If the value is constant (i.e. Ion has more information than TI due to inlining) then it is still not guaranteed to be an object.
Attachment #714800 -
Flags: review?(dvander)
|
Reporter | |
Updated•12 years ago
|
Blocks: 832578
Crash Signature: [@ js::ion::IonBuilder::getTypedArrayLength(js::ion::MDefinition*)] → [@ js::ion::IonBuilder::getTypedArrayLength(js::ion::MDefinition*)]
[@ js::TypedArray::lengthValue(JSObject*)]
[@ js::TypedArray::length(JSObject*)]
tracking-firefox21:
--- → ?
Keywords: regressionwindow-wanted
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•12 years ago
|
Attachment #714800 -
Flags: review?(dvander)
|
|
||
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•