Closed
Bug 926841
Opened 11 years ago
Closed 10 years ago
Crash [@ js::EncapsulatedPtr] or Opt-Crash [@ js::jit::Compile] with setObjectMetadataCallback
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
719 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 23bd0deec359 (threadsafe build, run with --fuzzing-safe --thread-count=2 --ion-parallel-compile=on --ion-eager):
function callback(obj) {}
setObjectMetadataCallback(callback);
w = new callback();
|
Reporter | |
Comment 1•11 years ago
|
||
|
||
Comment 2•11 years ago
|
||
Brian, this is a setObjectMetadataCallback issue I think. We trigger an off-thread compilation here jit::CanEnter -> CreateThisForFunction -> fun_resolve -> ShellObjectMetadataCallback -> jit::Compile. Then we return to jit::CanEnter and crash in Compile because script->ion == ION_COMPILING_SCRIPT...
Flags: needinfo?(bhackett1024)
|
||
Comment 4•10 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #3) > This should be fixed by bug 950118. true?
Crash Signature: [@ js::EncapsulatedPtr] or Opt-Crash [@ js::jit::Compile] → [@ js::EncapsulatedPtr]
[@ js::jit::Compile]
Flags: needinfo?(choller)
|
|
Reporter | |
Updated•10 years ago
|
Flags: needinfo?(choller)
Whiteboard: [jsbugmon:update,reconfirm,bisectfix]
|
|
Reporter | |
Updated•10 years ago
|
Crash Signature: [@ js::EncapsulatedPtr]
[@ js::jit::Compile] → [@ js::EncapsulatedPtr]
[@ js::jit::Compile]
Whiteboard: [jsbugmon:update,reconfirm,bisectfix] → [jsbugmon:reconfirm,bisectfix]
|
|
Reporter | |
Comment 5•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Comment 6•10 years ago
|
||
Haven't seen this in a while and it should be fixed according to comment 3, marking WFM.
Status: NEW → RESOLVED
Crash Signature: [@ js::EncapsulatedPtr]
[@ js::jit::Compile] → [@ js::EncapsulatedPtr]
[@ js::jit::Compile]
Closed: 10 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:reconfirm,bisectfix]
|
||
Comment 7•9 years ago
|
||
¡Hola Christian! Got this one in Nightly Report ID Date Submitted bp-a90fb719-30f9-43d2-bcad-616422151030 10/30/2015 12:42 PM Crashing Thread Frame Module Signature Source 0 xul.dll js::jit::Compile js/src/jit/Ion.cpp 1 xul.dll js::jit::CanEnter(JSContext*, js::RunState&) js/src/jit/Ion.cpp 2 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 3 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 4 xul.dll js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp 5 @0x18d54e42 Shall I reopen this bug, file a new one or just ignore the crash until I have reproducible steps? ¡Gracias! Alex
status-firefox44:
--- → affected
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 8•9 years ago
|
||
Your bug is probably different to this one, the crash signature you are seeing is very generic. If you manage to find a testcase/steps to reproduce, please file a new bug. ¡Thanks!
status-firefox44:
affected → ---
Flags: needinfo?(choller)
You need to log in
before you can comment on or make changes to this bug.
Description
•