Closed
Bug 889132
Opened 12 years ago
Closed 12 years ago
Crash at weird location of 0xdada0004 or Assertion failure: code->raw() == buffer, at ion/IonCode.h with ParallelArray
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 888470
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
|
180 bytes,
text/plain
|
Details |
function tryItOut(code) {
if (count == 0) {
gc()
}
try {
Function(code)()
} catch (e) {}
}
count = 0
tryItOut("\
x = ParallelArray(Float32Array(5));\
z = '';\
Object.defineProperty(this, \"y\", {\
get: function() {\
return x.scatter([2, 2], undefined, (function() {\
z += ''\
}))\
}\
})\
")
count =
tryItOut("y");
tryItOut("y");
crashes 32-bit threadsafe js debug shell on m-c changeset 4ffb23062b3b with --ion-eager at 0xdada0004.
s-s because this involves gc and a weird memory address.
Due to skipped revisions, the first bad revision could be any of:
changeset: http://hg.mozilla.org/mozilla-central/rev/743204c6b245
user: Shu-yu Guo
date: Thu Jun 27 14:47:44 2013 -0700
summary: Bug 877893 - Part 1: Convert string VM functions needed for concatenation to take ThreadSafeContext. (r=billm)
changeset: http://hg.mozilla.org/mozilla-central/rev/d6b9e08626e4
user: Shu-yu Guo
date: Thu Jun 27 14:47:44 2013 -0700
summary: Bug 877893 - Part 2: Support string concat in parallel in Ion. (r=djvj)
Flags: needinfo?
|
Reporter | |
Updated•12 years ago
|
Flags: needinfo?
|
|
Reporter | |
Updated•12 years ago
|
Flags: needinfo?(shu)
|
||
Updated•12 years ago
|
Summary: Crash at weird location of 0xdada0004 with testcase → Crash at weird location of 0xdada0004 with ParallelArray.scatter
|
|
Reporter | |
Comment 1•12 years ago
|
||
.scatter may not be needed, the following testcase crashes too:
s = newGlobal();
evalcx("\
ParallelArray([93], function() {}); \
y =[]\
", s)
gc();
evalcx("\
ParallelArray([82],\
function(){\
y += \"\"\
}\
)", s)
Summary: Crash at weird location of 0xdada0004 with ParallelArray.scatter → Crash at weird location of 0xdada0004 with ParallelArray
|
|
Reporter | |
Comment 2•12 years ago
|
||
Another testcase reduced from the same original testcase in comment 1 asserts instead:
s = newGlobal();
try {
evalcx("ParallelArray([93],function(){return})", s)
evalcx("\
schedulegc(1);\
a=/()/\
", s)
evalcx("\
for(var y=[/x/,/x/,/x/,/x/]((function(){return\"\"}))in(6)(\"\")>x);\
", s)
} catch (e) {}
try {
evalcx("var r=RegExp(\"(())\",\"\");\
gcPreserveCode();\
print(r.exec());\
p=new ParallelArray([782],function(){return y+=\"\"});\
schedulegc(1);\
/()/\
", s)
} catch (e) {}
Assertion failure: code->raw() == buffer, at ion/IonCode.h
Summary: Crash at weird location of 0xdada0004 with ParallelArray → Crash at weird location of 0xdada0004 or Assertion failure: code->raw() == buffer, at ion/IonCode.h with ParallelArray
|
||
Comment 3•12 years ago
|
||
Pretty sure this is dup due to not sweeping the parallel string concat stub correctly.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•