Closed Bug 864004 Opened 11 years ago Closed 3 years ago

Opt-only Crash [@ js::EqualStrings]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision dd03d42b01b1 (run with --ion-eager):


var VERBOSE = false;
var callStack = new Array();
function TestCase(d) {
  toPrinted(d);
}
function toPrinted(value) {}
function reportCompare (expected) {
  if (VERBOSE)
    toPrinted(expected) 
}
function enterFunc (funcName) {
  funcName += "()";
  callStack.push(funcName);
}
function exitFunc (funcName) {
  var lastFunc = callStack.pop();
    if (!funcName.match(/\(\)$/))
      funcName += "()";
    if (lastFunc != funcName)
      reportCompare(funcName, lastFunc, "");
new TestCase(10);
  enterFunc ('test');
var expect = 'No Crash';
  reportCompare(expect);
  exitFunc ('test');
}
reportCompare(Date.UTC());
enterFunc ('test');
exitFunc ('test');
In a debug build, I get "InternalError: too much recursion" so I assume there's an unchecked return due to stack exhaustion somewhere and the test hits this exact spot in an opt build while in the debug build, stack frames are larger.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 53d5e43e23cc).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/437c955ff06d
user:        Nicolas B. Pierron
date:        Wed Jan 30 07:41:01 2013 -0800
summary:     Bug 796114 - Inline with type-checked arguments. r=h4writer

This iteration took 1.368 seconds to run.
Assignee: general → nobody

Hello! I have tried to reproduce the issue with Firefox 78.7.0esr, 85.0 and 87.0a1 (2021-02-03) but unfortunately I wasn't able to reproduce it.
Christian does this issue still occur? And if so can you please provide a new testcase or some updated steps to reproduce?

Flags: needinfo?(choller)

Not seeing this in fuzzing anymore, closing as WFM.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.