Closed
Bug 883626
Opened 11 years ago
Closed 11 years ago
Crash [@ js::ion::GetPcScript]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
18.45 KB,
text/plain
|
Details | |
663 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
x = (function() { yield })() Array.prototype.unshift.call(x, x); Array.prototype.unshift.call(x, /x/) Array.prototype.sort.call(x, (function(t, foreign) { "use asm"; var ff = foreign.ff function f() { return +ff() } return f })(this, { ff: SyntaxError })) crashes js debug and opt shell on m-c changeset 36da3cb92193 without any CLI arguments at js::ion::GetPcScript (opt shell crashes at a near NULL deref). autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/05bf9122d234 user: Benjamin Bouvier date: Thu Jun 13 11:47:09 2013 -0700 summary: Bug 882514: Don't try to enable Ion on functions with no script; r=h4writer
Flags: needinfo?(bbouvier)
Comment 1•11 years ago
|
||
The asm function doesn't have to be called through sort. This also crashes: (function(t, foreign) { "use asm"; var ff = foreign.ff function f() { return +ff() } return f })(this, { ff: SyntaxError })()
Updated•11 years ago
|
Crash Signature: [@ js::ion::GetPcScript] → [@ js::ion::GetPcScript(JSContext*, JSScript**, unsigned char**)]
Comment 2•11 years ago
|
||
I can reproduce the crash bp-af183c46-a39c-474c-9bb9-6365f2130616 Steps to reproduce: 1. Install https://addons.mozilla.org/en-US/firefox/addon/execute-js/?src=search and restart 2. Alt > Tools > Open Execute JS 3. Paste JS code of comment #0 to upper-left pane 4. Click Execute button Actual Results: Crash Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/6f52e55ac5be Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130612 Firefox/24.0 ID:20130612124657 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/2810e80e1393 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130612 Firefox/24.0 ID:20130612130058 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6f52e55ac5be&tochange=2810e80e1393 Triggered by: 2810e80e1393 Hannes Verschore — Bug 860838: OdinMonkey: Optimize FFI calls to ionmonkey, r=luke And following builds also craches, So, it is different regression range in comment #0. http://hg.mozilla.org/integration/mozilla-inbound/rev/03e03ea1a842 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130613104608 http://hg.mozilla.org/integration/mozilla-inbound/rev/05bf9122d234 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130613114805
Assignee | ||
Comment 3•11 years ago
|
||
I'll take this bug. I have an idea where the fault located is. It is not a fall-out from bug 860838, but from the original bug 860838.
Assignee | ||
Comment 4•11 years ago
|
||
*not a fall-out from bug 882514
Assignee | ||
Comment 5•11 years ago
|
||
This fixes the problem here. Gonna quickly check if there are more places where we hit this.
Attachment #764168 -
Flags: review?(luke)
Updated•11 years ago
|
Attachment #764168 -
Flags: review?(luke) → review+
Assignee | ||
Comment 6•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4dd6f0845c5
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e4dd6f0845c5
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
You need to log in
before you can comment on or make changes to this bug.
Description
•