Closed Bug 788071 Opened 12 years ago Closed 12 years ago

js shell fails with "Segmentation fault"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 787775

People

(Reporter: yury, Unassigned)

Details

After 9-01-2012 js shell started failing with "Segmentation fault". Bisect found the http://hg.mozilla.org/mozilla-central/rev/102c2795bacc as a suspect.

To replicate:
1. Clone and init shumway:
  git clone https://github.com/mozilla/shumway.git
  cd shumway
  git submodule init
  git submodule update
2. Edit utils/Makefile to set JSSHELL_URL_BASE = http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/09/2012-09-01-03-05-28-mozilla-central/
3. Install utils (which downloads js shell):
  make -C utils/ install-js install-apparat
4. Run the playerGlobal build:
  make -C utils/playerGlobal/ build

Actual result:
../jsshell/js: line 3:  6798 Segmentation fault      (core dumped)

Expected result: the js run is a success
Stack:

#0  0x0000000000634e44 in js::ArrayBufferObject::removeFinalizedView (
    this=0x2aaaba1b0ec0, fop=0x7fffffffc440, view=0x2aaab8344220)
    at /home/yury/Work/mozilla-central/js/src/jstypedarray.cpp:354
#1  0x0000000000638189 in js::DataViewObject::obj_finalize (
    fop=0x7fffffffc440, obj=0x2aaab8344220)
    at /home/yury/Work/mozilla-central/js/src/jstypedarray.cpp:2448
#2  0x00000000004fd93f in JSObject::finalize (this=0x2aaab8344220, 
    fop=0x7fffffffc440)
    at /home/yury/Work/mozilla-central/js/src/jsobjinlines.h:235
#3  0x0000000000510f68 in js::gc::Arena::finalize<JSObject> (
    this=0x2aaab8344000, fop=0x7fffffffc440, 
    thingKind=js::gc::FINALIZE_OBJECT8, thingSize=96)
    at /home/yury/Work/mozilla-central/js/src/jsgc.cpp:348
#4  0x000000000050c7c6 in js::gc::FinalizeTypedArenas<JSObject> (
    fop=0x7fffffffc440, src=0x7fffffffc278, dest=..., 
    thingKind=js::gc::FINALIZE_OBJECT8, budget=...)
    at /home/yury/Work/mozilla-central/js/src/jsgc.cpp:412
#5  0x00000000004fdebb in js::gc::FinalizeArenas (fop=0x7fffffffc440, 
    src=0x7fffffffc278, dest=..., thingKind=js::gc::FINALIZE_OBJECT8, 
    budget=...) at /home/yury/Work/mozilla-central/js/src/jsgc.cpp:449
#6  0x0000000000501145 in js::gc::ArenaLists::finalizeNow (this=0xd24b78, 
    fop=0x7fffffffc440, thingKind=js::gc::FINALIZE_OBJECT8)
    at /home/yury/Work/mozilla-central/js/src/jsgc.cpp:1626
CC'ing 102c2795bacc patch author
Thanks. That's a nice stack trace. I'll work in bug 787775.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.