Closed Bug 875375 Opened 11 years ago Closed 11 years ago

Crash [@ check] or Opt-Crash [@ js::ToNumberSlow] with ParallelArray

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 875957

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 00b264c7cced (run with --ion-eager): var N = 2; var M = 4; var O = 6; var P = 8; var p = new ParallelArray([N,M,O,P], function() {}); for (var j = 0; j < M; j++ ) { for (var k = 0; k < O; k++) { for (var l = 0; l < P; l++) { p.get("eval", j, k, l) } } }
Crash trace: Program received signal SIGSEGV, Segmentation fault. check (v=..., this=0x7fffffffc5e0) at ../jscntxtinlines.h:211 211 check(v.toString()); #0 check (v=..., this=0x7fffffffc5e0) at ../jscntxtinlines.h:211 #1 js::CompartmentChecker::check (this=0x7fffffffc5e0, v=...) at ../jscntxtinlines.h:207 #2 0x000000000044daa1 in assertSameCompartment<JS::Value> (t1=..., cx=0x1857730) at ../jscntxtinlines.h:275 #3 JS::AssertArgumentsAreSane (cx=<optimized out>, value=...) at js/src/jsapi.cpp:7201 #4 0x0000000000890ccd in ToNumber (out=0x7fffffffc630, v=..., cx=0x1857730) at ../jsapi.h:1515 #5 GreaterThanOrEqualOperation (res=<synthetic pointer>, rhs=$jsval(4), lhs=$jsval(0x0), cx=0x1857730) at ../jsinterpinlines.h:1017 #6 js::ion::GreaterThanOrEqual (cx=0x1857730, lhs=$jsval(0x0), rhs=$jsval(4), res=0x7fffffffc6cc) at js/src/ion/VMFunctions.cpp:225 #7 0x00007ffff67c4684 in ?? () rdx 0x0 0 rip 0x4337dd <js::CompartmentChecker::check(JS::Value const&)+93> => 0x4337dd <js::CompartmentChecker::check(JS::Value const&)+93>: testb $0x8,(%rdx)
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132612:b2216a10f95b user: Shu-yu Guo date: Tue May 21 23:52:45 2013 -0700 summary: Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj) This iteration took 327.765 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 75407626ba46).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 133356:e7a5e3d66eb4 user: Shu-yu Guo date: Wed May 29 16:32:39 2013 -0700 summary: Bug 875957 - Record argument types in the element types of the rest array in Ion and Baseline. (r=djvj) This iteration took 326.633 seconds to run.
Shu, I don't see rest array involved in the test in comment 0, is this fix bisect correct?
Flags: needinfo?(shu)
It is; the .get() call is self-hosted and actually uses rest args.
Flags: needinfo?(shu)
Thanks :) That explains it.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: