Closed
Bug 877525
Opened 12 years ago
Closed 11 years ago
Crash [@ PropertyAccess<(PropertyAccessKind)0>] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 884254
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
|
600 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 8d85de779506 (run with --ion-eager):
function test() {
eval("\
var v = ({ 0 : []});\
function a() {\
oomAfterAllocations(1);\
v.f = function(a) { return o; };\
}\
new a;\
");
} test();
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
This bug is very annoying and has been around at least since TI, just hard to get a reduced test. The crash seems to indicate that it's somewhat related to types:
Program received signal SIGSEGV, Segmentation fault.
PropertyAccess<(PropertyAccessKind)0> (cx=0x92695b0, object=0xf74301e0, target=0x92e6128, idArg=$jsid("f"), script=<optimized out>, pc=<optimized out>) at js/src/jsinfer.cpp:1222
1222 if (object->singleton && object->singleton->isTypedArray() && JSID_IS_VOID(id)) {
#0 PropertyAccess<(PropertyAccessKind)0> (cx=0x92695b0, object=0xf74301e0, target=0x92e6128, idArg=$jsid("f"), script=<optimized out>, pc=<optimized out>) at js/src/jsinfer.cpp:1222
#1 0x0813e975 in resolvePending (cx=0x92695b0, this=0x9267948) at ../jsinferinlines.h:1147
#2 js::types::TypeSet::addType (this=0x92867d8, cx=0x92695b0, type=...) at ../jsinferinlines.h:1466
#3 0x0825f75d in js::types::TypeMonitorResult (cx=0x92695b0, script=0xf7437230, pc=0x927a3a5 ";", rval=...) at js/src/jsinfer.cpp:5735
#4 0x083e801c in Monitor (rval=..., pc=0x927a3a5 ";", script=<optimized out>, cx=0x92695b0) at ../jsinferinlines.h:962
#5 js::ion::DoGetNameFallback (cx=0x92695b0, frame=0xffffb40c, stub=0x9286370, scopeChain=(JSObject * const) 0xf7440550 [object Call] delegate, res=$jsval(-nan(0xfff87f7435050))) at js/src/ion/BaselineIC.cpp:4843
#6 0xf7fd078f in ?? ()
#7 0xf7fc7f94 in ?? ()
Ccing Brian since it could be related to older TI code.
Whiteboard: [jsbugmon:update]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b3cbafd5eb99).
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7ba8c86f1a56).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/f822fe6c9708
user: Brian Hackett
date: Thu Jun 20 13:01:49 2013 -0600
summary: Bug 884254 - Don't update observed type sets when analyzeTypes is called during compilation, r=jandem.
This iteration took 334.374 seconds to run.
|
|
Reporter | |
Comment 5•11 years ago
|
||
Brian, could the patch in comment 4 be a fix for this issue too?
Flags: needinfo?(bhackett1024)
|
||
Comment 6•11 years ago
|
||
Sure
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•