Closed Bug 847678 Opened 10 years ago Closed 10 years ago

BaselineCompiler: Crash [@ JSObject::global] or [@ js::gc::Cell::compartment]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Attached file stack
s = newGlobal()
function g(c) {
    evalcx(c, s)
}
g("[eval]=(function(){})")
g("while(eval());")

crashes js debug shell on ionmonkey changeset a703006742c5 with --ion-eager at JSObject::global and crashes js opt shell at js::gc::Cell::compartment

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122879:36b6a36c00bc
parent:      122831:836ed183bb5f
parent:      122878:67f2a2816651
user:        Jan de Mooij
date:        Fri Feb 22 13:37:13 2013 +0100
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, 702d2814efbf.

This iteration took 192.186 seconds to run.

Oops! We didn't test rev 67f2a2816651, a parent of the blamed revision! Let's do that now.
Rev 67f2a2816651: Updating... Compiling... Testing... good (Acceptable exit code 3) 
As expected, the parent's label is the opposite of the blamed rev's label.
Attached patch PatchSplinter Review
We should only resume into the prologue for function scripts, for global scripts this is invalid since we expect the scope chain in R1.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #721263 - Flags: review?(kvijayan)
Attachment #721263 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/6ea3d665ecc1
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.