Closed Bug 876495 Opened 12 years ago Closed 8 years ago

Crash [@ js::gc::Cell::tenuredZone] or Opt-Crash [@ js::ObjectImpl::markChildren] with countHeap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
1.15 KB, text/plain
Details
The following testcase crashes on mozilla-central revision a39263b0c896 (run with --ion-eager): var o0 = []; var o4 = {}; function f6(o) { o[3] = o; }; for(var i=0; i<20; i++) { f6(o0); f6(o4); } countHeap();
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132964:3835cbed5915 user: Nicolas B. Pierron date: Fri May 24 14:58:08 2013 -0700 summary: Bug 774006 - IonMonkey: Implement SetElementIC for integer indexes. r=h4writer This iteration took 317.915 seconds to run.
Needinfo from Nicolas based on comment 2 :)
Crash Signature: [@ js::gc::Cell::tenuredZone] or Opt-Crash [@ js::ObjectImpl::markChildren] → [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren]
Flags: needinfo?(nicolas.b.pierron)
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren] → [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 495b385ae811).
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren] → [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren] → [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 495b385ae811). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 133116:00b0dc4c196e user: Hannes Verschore date: Tue May 28 15:09:25 2013 +0200 summary: Bug 876649: IonMonkey: Temporary disable MSetElementCache when no dense write is seen, r=jandem This iteration took 296.761 seconds to run.
We should land these test cases, as they highlight cases which are failling with the additional patch of Hannes, and as we want to remove/weaken the condition added by Hannes having these tests in the tree would help prevent them to re-appear. This case means that the case I thought I handled correctly to check for out-of-bounds uses are not working in the current IC.
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren] → [@ js::gc::Cell::tenuredZone] [@ js::ObjectImpl::markChildren]
Flags: needinfo?(nicolas.b.pierron)
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
[Tracking Requested - why for this release]:
blocking-b2g: --- → 2.2?
tracking-b2g: --- → backlog
(In reply to Nicolas B. Pierron [:nbp] {backlog: ~41} from comment #6) > We should land these test cases We can no longer land the test case because countHeap got removed (Bug 1169097)
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
blocking-b2g: 2.2? → ---
tracking-b2g: backlog → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: