Closed Bug 883626 Opened 12 years ago Closed 12 years ago

Crash [@ js::ion::GetPcScript]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

stack
18.45 KB, text/plain
Details
Patch
663 bytes, patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack
x = (function() { yield })() Array.prototype.unshift.call(x, x); Array.prototype.unshift.call(x, /x/) Array.prototype.sort.call(x, (function(t, foreign) { "use asm"; var ff = foreign.ff function f() { return +ff() } return f })(this, { ff: SyntaxError })) crashes js debug and opt shell on m-c changeset 36da3cb92193 without any CLI arguments at js::ion::GetPcScript (opt shell crashes at a near NULL deref). autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/05bf9122d234 user: Benjamin Bouvier date: Thu Jun 13 11:47:09 2013 -0700 summary: Bug 882514: Don't try to enable Ion on functions with no script; r=h4writer
Flags: needinfo?(bbouvier)
The asm function doesn't have to be called through sort. This also crashes: (function(t, foreign) { "use asm"; var ff = foreign.ff function f() { return +ff() } return f })(this, { ff: SyntaxError })()
Crash Signature: [@ js::ion::GetPcScript] → [@ js::ion::GetPcScript(JSContext*, JSScript**, unsigned char**)]
I can reproduce the crash bp-af183c46-a39c-474c-9bb9-6365f2130616 Steps to reproduce: 1. Install https://addons.mozilla.org/en-US/firefox/addon/execute-js/?src=search and restart 2. Alt > Tools > Open Execute JS 3. Paste JS code of comment #0 to upper-left pane 4. Click Execute button Actual Results: Crash Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/6f52e55ac5be Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130612 Firefox/24.0 ID:20130612124657 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/2810e80e1393 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130612 Firefox/24.0 ID:20130612130058 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6f52e55ac5be&tochange=2810e80e1393 Triggered by: 2810e80e1393 Hannes Verschore — Bug 860838: OdinMonkey: Optimize FFI calls to ionmonkey, r=luke And following builds also craches, So, it is different regression range in comment #0. http://hg.mozilla.org/integration/mozilla-inbound/rev/03e03ea1a842 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130613104608 http://hg.mozilla.org/integration/mozilla-inbound/rev/05bf9122d234 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130613 Firefox/24.0 ID:20130613114805
I'll take this bug. I have an idea where the fault located is. It is not a fall-out from bug 860838, but from the original bug 860838.
Assignee: general → hv1989
Blocks: 860838
Flags: needinfo?(bbouvier)
*not a fall-out from bug 882514
Attached patch PatchSplinter Review
This fixes the problem here. Gonna quickly check if there are more places where we hit this.
Attachment #764168 - Flags: review?(luke)
Attachment #764168 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/e4dd6f0845c5
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: