Closed Bug 543436 Opened 15 years ago Closed 15 years ago

Crash [@ JSFunctionBox::joinable] or [@ JSCompiler::setFunctionKinds]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a2

People

(Reporter: gkw, Assigned: brendan)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey [ccbr])

Crash Data

Attachments

(1 file, 1 obsolete file)

fix, v2
(deleted), patch
jorendorff
: review+
Details | Diff | Splinter Review
(function() { try { eval("\ function() {\ if (3)\ (1 for (x in []));\ else \ (this._ = function(){})\ }\ "); } catch(e) {} })() crashes js debug shell on TM tip without -j at JSFunctionBox::joinable near null and crashes js opt shell on TM tip without -j at JSCompiler::setFunctionKinds near null. autoBisect shows this is probably related to bug 536564: The first bad revision is: changeset: 37039:f6b37dc8709e user: Brendan Eich date: Thu Jan 14 14:22:00 2010 -0800 summary: Fast followup fix for thinko (536564, r=jorendorff). === js opt shell stacktrace: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 js-opt-32-tm-darwin 0x0008f64d JSCompiler::setFunctionKinds(JSFunctionBox*, unsigned int&) + 429 1 js-opt-32-tm-darwin 0x000a2b7b JSCompiler::compileScript(JSContext*, JSObject*, JSStackFrame*, JSPrincipals*, unsigned int, unsigned short const*, unsigned long, __sFILE*, char const*, unsigned int, JSString*, unsigned int) + 955 2 js-opt-32-tm-darwin 0x0007367a obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 2362 3 js-opt-32-tm-darwin 0x0005f8ac js_Invoke + 1180 4 js-opt-32-tm-darwin 0x0005540f js_Interpret + 25007 5 js-opt-32-tm-darwin 0x0005f0c1 js_Execute + 625 6 js-opt-32-tm-darwin 0x0000debc JS_ExecuteScript + 60 7 js-opt-32-tm-darwin 0x00004c28 Process(JSContext*, JSObject*, char*, int) + 1336 8 js-opt-32-tm-darwin 0x00008ca6 main + 1734 9 js-opt-32-tm-darwin 0x00002bcd _start + 208 10 js-opt-32-tm-darwin 0x00002afc start + 40
Attached patch fix (obsolete) (deleted) — Splinter Review
D'oh. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #427694 - Flags: review?(jorendorff)
Thanks, Gary -- could not do it without your fuzzing efforts. /be
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.3a2
Attached patch fix, v2 (deleted) — Splinter Review
I had this patch originally, and then "simplified" too much without running trace-test. Writing "I will not [do that again]" 100x on the blackboard... /be
Attachment #427694 - Attachment is obsolete: true
Attachment #427698 - Flags: review?(jorendorff)
Attachment #427694 - Flags: review?(jorendorff)
Attachment #427698 - Flags: review?(jorendorff) → review+
Gotta keep the fuzzer happy. http://hg.mozilla.org/tracemonkey/rev/61d3e2eec985 /be
Whiteboard: [ccbr] → fixed-in-tracemonkey [ccbr]
Rats, wrong words in commit message, right bug number. See bug 546069. /be
http://hg.mozilla.org/mozilla-central/rev/61d3e2eec985
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSFunctionBox::joinable] [@ JSCompiler::setFunctionKinds]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: