865620 - Crash on Heap with possible OOM

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 690b5e0f6562 (run with --ion-eager):


function reportCompare (expected, actual, description) {
    return actual == expected;
}
var UBound = 0;
var cnGlobal = this.toString();
var cnObject = (new Object).toString();
var statusitems = [];
var actualvalues = [];
var expectedvalues = [];
capture(this.toString());
capture(-12346);
expectedvalues[0] = cnGlobal;
expectedvalues[1] = cnObject;
test();
function capture(val) {
  actualvalues[UBound] = val;
  UBound++;
}
function test() {
  for (var i=0; i<UBound; i++)
    reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]);
}

Comment 1

[Daniel Veditz [:dveditz]]

Any crash stack? Regression window? possible developer to involve?

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b842d26dd5f0).

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   130564:b035b05f6a18
user:        Brian Hackett
date:        Wed May 01 18:07:36 2013 -0600
summary:     Bug 866765 - Refactor compilation of JSOP_SETELEM to only pop operands at one point, r=dvander.

This iteration took 329.691 seconds to run.

Comment 4

[Christian Holler (:decoder)]

Brian, is the bug in comment 3 likely fixing the crash?

Comment 5

[Brian Hackett [Laid off!]]

Can't say for sure without a stack, but why not?