Closed
Bug 906241
Opened 11 years ago
Closed 11 years ago
GenerationalGC: Crash [@ lookupGeneric]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
1.38 KB,
text/plain
|
Details | |
1.60 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
for (let y in []);
(function f(x) {
Float64Array(ArrayBuffer());
{
f(x)
function t() {}
}
})();
crashes js debug shell (tested with a threadsafe 64-bit debug build) on m-i changeset a63f47fcbe98 without any CLI arguments at lookupGeneric
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 140539:1a0e01422cb3
user: Terrence Cole
date: Wed Jul 10 10:13:46 2013 -0700
summary: Bug 889682 - Eagerly check for remembered set membership before buffering; r=billm
Flags: needinfo?(terrence)
Assignee | ||
Comment 1•11 years ago
|
||
Great find, Gary! This is a dup of bug 906128, but I'm going to use this bug because of the nice test case.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #792317 -
Flags: review?(bhackett1024)
Flags: needinfo?(terrence)
Comment 3•11 years ago
|
||
Comment on attachment 792317 [details] [diff] [review]
fuzz_906241-v0.diff
Review of attachment 792317 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jit/VMFunctions.cpp
@@ +459,5 @@
> + JSObject *obj = CallObject::create(cx, script, shape, type, slots);
> +
> + // The JIT creates call objects in the nursery, so elides barriers for
> + // the initializing writes. The interpreter, however, may have allocated
> + // the call object tenured, so barrier as needed before re-entering.
This comment is kind of confusing, as it's not a question of the interpreter's behavior here but that of the VM call. How about s/The JIT/Inline code/ and s/The interpreter/VM calls/
Attachment #792317 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 4•11 years ago
|
||
Assignee | ||
Comment 5•11 years ago
|
||
Backed out for possible bustage in:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5e7bc6009afc
Comment 6•11 years ago
|
||
Assignee | ||
Comment 7•11 years ago
|
||
I did not qref before cherrypicking, so the test was missing its expected error header.
Relanded:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ec62e23bf94b
Comment 8•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in
before you can comment on or make changes to this bug.
Description
•