Closed
Bug 1065374
Opened 10 years ago
Closed 10 years ago
Crash [@ appendResumePoint] with gczeal
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1063653
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 152ef25e89ae (run with --fuzzing-safe --no-threads --ion-eager):
function test() {
var n_zero=-0;
if ((n_zero == 0) !== true) {
n_zero = 0
if ((prop == -0) !== true) {}
}
if ((n_zero === -0) !== true)
gczeal(4);
}
test();
|
Reporter | |
Comment 1•10 years ago
|
||
Bug 1063653 looks similar but the test here has gczeal in it, while the other one does not, so I decided to file this anyway. Crash trace:
Program received signal SIGSEGV, Segmentation fault.
appendResumePoint (rp=0x0, this=0x1a75010) at js/src/jit/Lowering.cpp:4001
4001 }
(gdb) bt 8
#0 appendResumePoint (rp=0x0, this=0x1a75010) at js/src/jit/Lowering.cpp:4001
#1 js::jit::LRecoverInfo::init (this=0x1a75010, rp=0x0) at js/src/jit/LIR.cpp:258
#2 0x0000000000746414 in js::jit::LRecoverInfo::New (gen=<optimized out>, mir=0x0) at js/src/jit/LIR.cpp:201
#3 0x000000000081194f in getRecoverInfo (rp=0x0, this=0x7fffffffb760) at js/src/jit/shared/Lowering-shared.cpp:69
#4 js::jit::LIRGeneratorShared::buildSnapshot (this=0x7fffffffb760, ins=<optimized out>, rp=0x0, kind=js::jit::Bailout_PrecisionLoss)
at js/src/jit/shared/Lowering-shared.cpp:158
#5 0x0000000000811d00 in js::jit::LIRGeneratorShared::assignSnapshot (this=<optimized out>, ins=0x1a74fb8, kind=<optimized out>) at js/src/jit/shared/Lowering-shared.cpp:208
#6 0x00000000006fd073 in js::jit::LIRGenerator::visitToInt32 (this=0x7fffffffb760, convert=0x1a73dc0) at js/src/jit/Lowering.cpp:1885
#7 0x00000000006fe8c6 in visitInstruction (ins=0x1a73dc0, this=0x7fffffffb760) at js/src/jit/Lowering.cpp:3839
rsi 0x0 0
=> 0x746219 <js::jit::LRecoverInfo::init(js::jit::MResumePoint*)+25>: mov 0x30(%rsi),%rsi
status-firefox35:
--- → affected
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 2•10 years ago
|
||
|
||
Comment 3•10 years ago
|
||
This is the same issue as the other one. I do not expect gczeal to have any impact on the compilation data which are stored in a LifoAlloc, and also knowing that any GC has to wait for compilation to give-up.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 4•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/61f05ae95aa4
user: Dan Gohman
date: Tue Sep 02 13:01:31 2014 -0700
summary: Bug 1054972 - IonMonkey: Truncation for phis r=nbp
This iteration took 1.080 seconds to run.
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•