Closed
Bug 743071
Opened 13 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::types::TypeSet::baseFlags]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,reconfirm,ignore])
Crash Data
The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n -m --ion-eager):
{
try
{
try
{
}
catch(ex1)
{
}
}
catch(ex)
{
}
}
function optionsClear() {
var optionNames = options().split(',');
for (var i = 0; i < optionNames.length; i++)
{
var optionName = optionNames[i];
if (optionName &&
optionName != "methodjit_always")
{
options(optionName);
}
}
}
{
optionsClear();
{
}
}
function test() {
for ( gTc=0; gTc < gTestcases.length; gTc++ ) {
try
{
}
catch(e)
{
}
}
}
try {
var g = newGlobal('new-compartment');
g.eval("(" + function () {
dbg = new Debugger(debuggeeGlobal);
} + ")();");
} catch(exc0) {}
|
Reporter | |
Comment 1•13 years ago
|
||
Excuse the long test, accidentially hit the wrong file which didn't have the useless try catch blocks removed. Will reproduce anyway of course :)
Here's a backtrace for the crash:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004d7a4e in js::types::TypeSet::baseFlags (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.h:375
375 TypeFlags baseFlags() const { return flags & TYPE_FLAG_BASE_MASK; }
(gdb) bt 16
#0 0x00000000004d7a4e in js::types::TypeSet::baseFlags (this=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.h:375
#1 0x00000000004df7cc in js::types::TypeSet::getSingleton (this=0x0, cx=0xd05d30, freeze=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:1810
#2 0x00000000007851d5 in js::ion::IonBuilder::getSingleCallTarget (this=0x7fffffffa8e0, argc=1, pc=0xd0c11a "R") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:132
#3 0x000000000078c452 in js::ion::IonBuilder::jsop_call (this=0x7fffffffa8e0, argc=1, constructing=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:2604
#4 0x0000000000786e25 in js::ion::IonBuilder::inspectOpcode (this=0x7fffffffa8e0, op=JSOP_NEW) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:739
#5 0x0000000000786466 in js::ion::IonBuilder::traverseBytecode (this=0x7fffffffa8e0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:516
#6 0x0000000000785873 in js::ion::IonBuilder::build (this=0x7fffffffa8e0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonBuilder.cpp:271
#7 0x000000000076dc1a in TestCompiler (builder=..., graph=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:639
#8 0x000000000076e5f4 in IonCompile (cx=0xd05d30, script=0x7ffff091d160, fp=0x7ffff0beb1d0, osrPc=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:774
#9 0x000000000076e9e3 in Compile (cx=0xd05d30, script=0x7ffff091d160, fp=0x7ffff0beb1d0, osrPc=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:858
#10 0x000000000076ec99 in js::ion::CanEnter (cx=0xd05d30, script=0x7ffff091d160, fp=0x7ffff0beb1d0, newType=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:926
#11 0x000000000050f3bb in js::Interpret (cx=0xd05d30, entryFrame=0x7ffff0beb150, interpMode=js::JSINTERP_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:2781
#12 0x0000000000501e8c in js::RunScript (cx=0xd05d30, script=0x7ffff091d230, fp=0x7ffff0beb150) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:483
#13 0x0000000000502a73 in js::ExecuteKernel (cx=0xd05d30, script=0x7ffff091d230, scopeChain=..., thisv=..., type=js::EXECUTE_INDIRECT_EVAL, evalInFrame=0x0, result=0x7ffff0beb128)
at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinterp.cpp:681
#14 0x0000000000531a79 in EvalKernel (cx=0xd05d30, args=..., evalType=INDIRECT_EVAL, caller=0x0, scopeobj=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:1045
#15 0x0000000000531bd4 in js::eval (cx=0xd05d30, argc=1, vp=0x7ffff0beb128) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:1089
(More stack frames follow...)
|
||
Comment 2•13 years ago
|
||
Will be fixed by patch in Bug 745362.
|
|
Reporter | |
Comment 4•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision de015aff650d).
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,reconfirm]
|
|
Reporter | |
Comment 5•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision bc1833f2111e).
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:update,reconfirm,ignore]
The original cset WFM, and given comments 2, 4, and 5, I'm going to WFM this.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 7•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•