Closed Bug 564619 Opened 14 years ago Closed 14 years ago

TM: Crash [@ js_ValueToString] with eval, print

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr])

Crash Data

(function() {
  eval("\
    function c() {\
      for (var b = 0; b < 2; ++b) {\
        print(this)\
      }\
    }\
    c();\
    c();\
  ")
})()

crashes js debug and opt shells with -j on TM tip at null at js_ValueToString.

Opt shell stack:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   ???                           	0000000000 0 + 0
1   js-opt-32-tm-darwin           	0x000dc56f js_ValueToString + 111
2   js-opt-32-tm-darwin           	0x00003dd6 Print(JSContext*, unsigned int, long*) + 166
3   ???                           	0x003d2f84 0 + 4009860
4   js-opt-32-tm-darwin           	0x00122444 js::ExecuteTree(JSContext*, js::TreeFragment*, unsigned int&, js::VMSideExit**, js::VMSideExit**) + 724
5   js-opt-32-tm-darwin           	0x0013e00c js::MonitorLoopEdge(JSContext*, unsigned int&, js::RecordReason) + 1084
6   js-opt-32-tm-darwin           	0x000632d9 js_Interpret + 60057
7   js-opt-32-tm-darwin           	0x00065253 js_Execute + 531
8   js-opt-32-tm-darwin           	0x0007ea36 obj_eval(JSContext*, unsigned int, long*) + 2310
9   js-opt-32-tm-darwin           	0x0005d9b0 js_Interpret + 37232
10  js-opt-32-tm-darwin           	0x00065253 js_Execute + 531
11  js-opt-32-tm-darwin           	0x0000eedc JS_ExecuteScript + 60
12  js-opt-32-tm-darwin           	0x0000464c Process(JSContext*, JSObject*, char*, int) + 1340
13  js-opt-32-tm-darwin           	0x0000887a main + 1626
14  js-opt-32-tm-darwin           	0x000022ad _start + 208
15  js-opt-32-tm-darwin           	0x000021dc start + 40
(Not the smallest) regression window:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=9bf9c6e72fe2&tochange=47532d9153cb

Need zzz desperately now, will hopefully find regressing bug later...
(In reply to comment #1)
> (Not the smallest) regression window:
> 
> http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=9bf9c6e72fe2&tochange=47532d9153cb
> 
> Need zzz desperately now, will hopefully find regressing bug later...

autoBisect shows that it is probably related to bug 554550:

The first bad revision is:
changeset:   40665:3de0a7da3a8e
user:        Andreas Gal
date:        Sun Apr 11 20:55:22 2010 -0700
summary:     Remove lingering defaultValue calls with hint JSTYPE_OBJECT or JSTYPE_FUNCTION (554550, r=brendan).
Blocks: 554550
This is fixed by the patch in bug 556277. What happens is that we run the loop once, populating 'this' (properly) with the global object. On the second pass through the loop, we start tracing, but we don't guard on 'this' not being a Call object in js::TraceRecorder::getThis (we fall into the last "either we have to wrap the global, or just use the given thisObject as-is" case).

We should probably just wait for bug 556277, but we could also fix this by guarding in ::getThis that the 'this' object is not either a call or block object (making an already hot and slow path slower).
Depends on: EagerThis
Oh, and bug 554550 just exposed this, I think that before that bug, this would have been an incorrect output bug instead of a crash bug.
blocking2.0: --- → ?
blocking2.0: ? → beta4+
Assignee: general → mrbkap
Blake tells me that the fix for bug 556277 isn't going to make it for beta4, and that it got bumped to beta5, so bumping this bug as well.
blocking2.0: beta4+ → beta5+
And again to beta6, as per bug 556277 :(
blocking2.0: beta5+ → beta6+
Gary, could you retest this now that all sort of other bugs have been fixed? :)

Also, not necessary for beta7.
blocking2.0: beta7+ → betaN+
Actually, this is now fixed, thanks to bug 556277.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_ValueToString]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.