http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=e4x%2FGC%2Fregress-339785.js;language=type;text/javascript 1.9.2 debug browser 64 bit linux only http://hg.mozilla.org/releases/mozilla-1.9.2/rev/f8bec1cb7836 regression changeset: 30851:f8bec1cb7836 user: Andreas Gal <gal@mozilla.com> date: Mon Jul 27 21:10:12 2009 -0700 summary: When finalizing, deallocate memory in a separate thread (505612, r=bent,brendan,waldo). Program received signal SIGABRT, Aborted. [Switching to Thread 0x426b8940 (LWP 32111)] 0x00000032b4830215 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00000032b4830215 in raise () from /lib64/libc.so.6 #1 0x00000032b4831cc0 in abort () from /lib64/libc.so.6 #2 0x00000032b4874c4c in free_check () from /lib64/libc.so.6 #3 0x00000032b48758a7 in free () from /lib64/libc.so.6 #4 0x00002b1c3f721f6d in js_free (p=0x16492bc0) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsutil.h:202 #5 0x00002b1c3f7295d2 in JSFreePointerListTask::run (this=0x15f81940) at /work/mozilla/builds/1.9.2/mozilla/js/src/jsgc.h:360 #6 0x00002b1c3f7cf146 in JSBackgroundThread::work (this=0x15151100) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstask.cpp:96 #7 0x00002b1c3f7cf1a7 in start (arg=0x15151100) at /work/mozilla/builds/1.9.2/mozilla/js/src/jstask.cpp:43 #8 0x00002b1c403db6fc in _pt_root (arg=0x15151250) at /work/mozilla/builds/1.9.2/mozilla/nsprpub/pr/src/pthreads/ptthread.c:228 #9 0x00000032b5406367 in start_thread () from /lib64/libpthread.so.0 #10 0x00000032b48d309d in clone () from /lib64/libc.so.6

ditto ecma_2/RegExp/exec-002.js ecma_3_1/Object/regress-444787.js ecma_3/String/15.5.4.14.js ecma/Array/15.4.4.2.js js1_2/Array/slice.js js1_2/Array/splice1.js js1_2/Array/splice2.js js1_2/regexp/alphanumeric.js js1_2/regexp/backslash.js js1_2/regexp/digit.js js1_2/regexp/plus.js js1_2/regexp/whitespace.js js1_5/Array/regress-108440.js js1_5/extensions/getset-006.js js1_5/extensions/regress-348986.js js1_5/extensions/regress-369696-02.js js1_5/extensions/regress-369696-03.js js1_5/extensions/regress-454704.js js1_5/Regress/regress-179524.js js1_5/Regress/regress-254296.js js1_5/Regress/regress-417893.js js1_5/Regress/regress-482783.js js1_6/Array/regress-304828.js js1_6/extensions/regress-312385-01.js js1_7/block/regress-344262.js js1_7/decompilation/regress-410571.js js1_7/regress/regress-363040-02.js js1_8/extensions/regress-469625.js js1_8/regress/regress-459389.js js1_8/regress/regress-474935.js js1_8_1/regress/regress-452498-117.js

Meh. Debugging this will suck. I will try to find a 64-bit linux setup.

bc, what are the other threads' stacks? Is there array_slice on one of them?

no array_slice in this example. looking at other runs the stack in thread 1 changes. e.g.

(In reply to comment #2) > Meh. Debugging this will suck. I will try to find a 64-bit linux setup. gal, if you don't have a 64bit box I have a vm in the office you can use.

I think we have a fix for this. Bob, want to verify?

This is the likely fix: https://bugzilla.mozilla.org/show_bug.cgi?id=513981

I only saw this on 1.9.2 for some reason and 1.9.2 and tracemonkey have diverged enough that the patch doesn't apply.

I landed the patch on TM. So if TM passes we likely have a fix.

I checked tracemonkey and it does pass after the patch landed but it also passed on tracemonkey before the patch, so... Anyway. Any plan for this to make it to 1.9.2?

I requested blocking status for 1.9.2. No way we could ship without this fix.

(In reply to comment #9) > I landed the patch on TM. So if TM passes we likely have a fix. Gal, that patch fixed the JIT. bc is seeing this bug on 64 bit Linux, where we do not (yet!) have a JIT. I don't think the two bugs can be related.

Doh. Ok. Back to square 1 then. I will install a linux 64 VM.

for some reason, js1_8_1/trace/trace-test.js has started showing this as well.

no longer appeared after 9/5. -> wfm.

v