Closed Bug 843429 Opened 11 years ago Closed 11 years ago

BaselineCompiler: Crash [@ JSObject::defaultValue]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

stack
14.91 KB, text/plain
Details
Patch
1.15 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Attached file stack 
(function () {
    const x = [] = {};
    (function () {
        print(x)
    })()
})()

crashes js debug and opt shell on ionmonkey changeset 2445c6378f36 without any CLI arguments at JSObject::defaultValue
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I tested this on 32-bit Linux.
OS: Mac OS X → Linux
Hardware: x86_64 → x86
Yep, confirmed. It doesn't reproduce on 64 bit that's why JSBugMon failed.
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Reproduces on 32-bit Mac.
OS: Linux → All
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   121322:f21ddc17c570
user:        Brian Hackett
date:        Thu Feb 07 13:03:12 2013 -0700
summary:     Bug 839080 - Compile object initializer opcodes, r=djvj.

Brian, is bug 839080 a likely regressor?
Blocks: 839080
Crash Signature: [@ JSObject::defaultValue]
Flags: needinfo?(bhackett1024)
Keywords: regression
Attached patch PatchSplinter Review 
Between ops, values on top of the stack can be in R0 or R1 and SETALIASEDVAR shouldn't use these registers.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #716465 - Flags: review?(bhackett1024)
Flags: needinfo?(bhackett1024)
Attachment #716465 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/de894e57ecb2
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: