Closed
Bug 888543
Opened 11 years ago
Closed 11 years ago
GenerationalGC: Crash [@ js::ObjectImpl::getClass]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
gc()
function f() {
r = RegExp("()");
s = "";
s.h();
e({
e: x
})
}
for each(y in (function() {
for (v of [0, 0, 0, 0, 0, 0, 0, new String(),
0, 0, 0, new String(), 0, new String(),
new String(), new String(), 0,
new String(), new String(), 0, new String(),
new String(), new String(),
new String(), 0, 0, 0, new String(), 0,
new String(), new String(), new String(),
0, 0, 0, 0, new String(), 0, 0,
new String(), new String(), 0, 0,
new String(), new String(), new String(),
0, new String(), new String(), 0, 0
]) {
yield
}
})())
try {
f()
} catch (e) {
'' + e
}
crashes js debug shell (tested with a threadsafe deterministic 64-bit debug build) on m-c changeset 942686767e5e without any CLI arguments at js::ObjectImpl::getClass
I tested this with a shell that is not compiled with --enable-gcgenerational --enable-exact-rooting and it does not seem to occur.
|
Reporter | |
Updated•11 years ago
|
Flags: needinfo?(terrence)
|
||
Updated•11 years ago
|
Crash Signature: [@ js::ObjectImpl::getClass] → [@ js::ObjectImpl::getClass()]
|
||
Comment 1•11 years ago
|
||
I was not able to reproduce on 942686767e5e or tip on linux64 with the following configurations:
CC="gcc -m64" CXX="g++ -m64" CCACHE_CPP2="1" CCACHE_UNIFY="1" ./configure --disable-optimize --enable-debug --enable-gcgenerational --enable-exact-rooting --with-ccache=/usr/bin/ccache --with-system-nspr --enable-threadsafe --enable-more-deterministic --disable-intl-api
CC="gcc -m64" CXX="g++ -m64" ./configure --enable-optimize --enable-debug --enable-gcgenerational --enable-exact-rooting --with-system-nspr --enable-threadsafe --enable-more-deterministic --disable-intl-api
$ ggc --version | head -n1
gcc (Gentoo 4.6.3 p1.13, pie-0.5.2) 4.6.3
Flags: needinfo?(terrence)
|
|
Reporter | |
Comment 2•11 years ago
|
||
I can still reproduce on Mac 10.8 rev c193fdeb4932.
|
|
Reporter | |
Comment 3•11 years ago
|
||
Extra configure flags I also had:
--target=x86_64-apple-darwin11.4.0 --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests
On Mac, one has to compile using Clang.
$ clang --version
Apple LLVM version 4.2 (clang-425.0.28) (based on LLVM 3.2svn)
Target: x86_64-apple-darwin12.4.0
Thread model: posix
Flags: needinfo?(terrence)
|
|
||
Comment 4•11 years ago
|
||
I was again unable to reproduce.
Configured with:
CC="clang -m64" CXX="clang++ -m64" CXXFLAGS="-fcolor-diagnostics" CCACHE_CC="clang" ./configure --enable-optimize --enable-debug --enable-gcgenerational --enable-exact-rooting --with-system-nspr --enable-threadsafe --enable-more-deterministic --enable-gczeal --disable-intl-api --enable-profiling --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests
Compiled with:
clang version 3.3 (tags/RELEASE_33/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
So it is either platform or compiler specific.
Flags: needinfo?(terrence)
|
|
Reporter | |
Comment 5•11 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/3192742f570a
user: Terrence Cole
date: Tue Jul 09 17:31:42 2013 -0700
summary: Bug 886630 - Post barrier generator frames when they stop running; r=billm
I can no longer reproduce this, seemingly fixed by bug 886630.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Target Milestone: --- → mozilla25
|
|
||
Comment 6•11 years ago
|
||
Agreed. The stack strongly indicates that the fix in that bug should have fixed this too.
You need to log in
before you can comment on or make changes to this bug.
Description
•