Closed Bug 906241 Opened 11 years ago Closed 11 years ago

GenerationalGC: Crash [@ lookupGeneric]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: gkw, Assigned: terrence)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

Attached file stack
for (let y in []); (function f(x) { Float64Array(ArrayBuffer()); { f(x) function t() {} } })(); crashes js debug shell (tested with a threadsafe 64-bit debug build) on m-i changeset a63f47fcbe98 without any CLI arguments at lookupGeneric autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 140539:1a0e01422cb3 user: Terrence Cole date: Wed Jul 10 10:13:46 2013 -0700 summary: Bug 889682 - Eagerly check for remembered set membership before buffering; r=billm
Flags: needinfo?(terrence)
Great find, Gary! This is a dup of bug 906128, but I'm going to use this bug because of the nice test case.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #792317 - Flags: review?(bhackett1024)
Flags: needinfo?(terrence)
Comment on attachment 792317 [details] [diff] [review] fuzz_906241-v0.diff Review of attachment 792317 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/VMFunctions.cpp @@ +459,5 @@ > + JSObject *obj = CallObject::create(cx, script, shape, type, slots); > + > + // The JIT creates call objects in the nursery, so elides barriers for > + // the initializing writes. The interpreter, however, may have allocated > + // the call object tenured, so barrier as needed before re-entering. This comment is kind of confusing, as it's not a question of the interpreter's behavior here but that of the VM call. How about s/The JIT/Inline code/ and s/The interpreter/VM calls/
Attachment #792317 - Flags: review?(bhackett1024) → review+
I did not qref before cherrypicking, so the test was missing its expected error header. Relanded: https://hg.mozilla.org/integration/mozilla-inbound/rev/ec62e23bf94b
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: