BaselineCompiler: Crash [@ JSObject::global] or [@ js::gc::Cell::compartment]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Other Branch
x86_64
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 720957 [details]
stack

s = newGlobal()
function g(c) {
    evalcx(c, s)
}
g("[eval]=(function(){})")
g("while(eval());")

crashes js debug shell on ionmonkey changeset a703006742c5 with --ion-eager at JSObject::global and crashes js opt shell at js::gc::Cell::compartment

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122879:36b6a36c00bc
parent:      122831:836ed183bb5f
parent:      122878:67f2a2816651
user:        Jan de Mooij
date:        Fri Feb 22 13:37:13 2013 +0100
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, 702d2814efbf.

This iteration took 192.186 seconds to run.

Oops! We didn't test rev 67f2a2816651, a parent of the blamed revision! Let's do that now.
Rev 67f2a2816651: Updating... Compiling... Testing... good (Acceptable exit code 3) 
As expected, the parent's label is the opposite of the blamed rev's label.
(Assignee)

Comment 1

6 years ago
Created attachment 721263 [details] [diff] [review]
Patch

We should only resume into the prologue for function scripts, for global scripts this is invalid since we expect the scope chain in R1.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #721263 - Flags: review?(kvijayan)
Attachment #721263 - Flags: review?(kvijayan) → review+
(Assignee)

Comment 2

6 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/6ea3d665ecc1
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.