Closed
Bug 875375
Opened 11 years ago
Closed 11 years ago
Crash [@ check] or Opt-Crash [@ js::ToNumberSlow] with ParallelArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 875957
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
863 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 00b264c7cced (run with --ion-eager):
var N = 2;
var M = 4;
var O = 6;
var P = 8;
var p = new ParallelArray([N,M,O,P], function() {});
for (var j = 0; j < M; j++ ) {
for (var k = 0; k < O; k++) {
for (var l = 0; l < P; l++) {
p.get("eval", j, k, l)
}
}
}
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
check (v=..., this=0x7fffffffc5e0) at ../jscntxtinlines.h:211
211 check(v.toString());
#0 check (v=..., this=0x7fffffffc5e0) at ../jscntxtinlines.h:211
#1 js::CompartmentChecker::check (this=0x7fffffffc5e0, v=...) at ../jscntxtinlines.h:207
#2 0x000000000044daa1 in assertSameCompartment<JS::Value> (t1=..., cx=0x1857730) at ../jscntxtinlines.h:275
#3 JS::AssertArgumentsAreSane (cx=<optimized out>, value=...) at js/src/jsapi.cpp:7201
#4 0x0000000000890ccd in ToNumber (out=0x7fffffffc630, v=..., cx=0x1857730) at ../jsapi.h:1515
#5 GreaterThanOrEqualOperation (res=<synthetic pointer>, rhs=$jsval(4), lhs=$jsval(0x0), cx=0x1857730) at ../jsinterpinlines.h:1017
#6 js::ion::GreaterThanOrEqual (cx=0x1857730, lhs=$jsval(0x0), rhs=$jsval(4), res=0x7fffffffc6cc) at js/src/ion/VMFunctions.cpp:225
#7 0x00007ffff67c4684 in ?? ()
rdx 0x0 0
rip 0x4337dd <js::CompartmentChecker::check(JS::Value const&)+93>
=> 0x4337dd <js::CompartmentChecker::check(JS::Value const&)+93>: testb $0x8,(%rdx)
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 132612:b2216a10f95b
user: Shu-yu Guo
date: Tue May 21 23:52:45 2013 -0700
summary: Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj)
This iteration took 327.765 seconds to run.
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 4•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 75407626ba46).
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Reporter | ||
Comment 5•11 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 133356:e7a5e3d66eb4
user: Shu-yu Guo
date: Wed May 29 16:32:39 2013 -0700
summary: Bug 875957 - Record argument types in the element types of the rest array in Ion and Baseline. (r=djvj)
This iteration took 326.633 seconds to run.
Reporter | ||
Comment 6•11 years ago
|
||
Shu, I don't see rest array involved in the test in comment 0, is this fix bisect correct?
Flags: needinfo?(shu)
Comment 7•11 years ago
|
||
It is; the .get() call is self-hosted and actually uses rest args.
Flags: needinfo?(shu)
Reporter | ||
Comment 8•11 years ago
|
||
Thanks :) That explains it.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•