Closed
Bug 1236759
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::ICStub::trace]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1234663
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --baseline-eager --ion-shared-stubs=on):
gczeal(4);
g = (function() {
var h = Function("this.__defineSetter__ ( \"eval\", function(){})");
function f() {
h();
}
return f;
})();
for (var k = 0; k < 9999; ++k) {
g();
}
setJitCompilerOption('baseline.enable', 1);
Backtrace:
0 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x00000001003cb778 js::jit::ICStub::trace(JSTracer*) + 24 (IonCode.h:142)
1 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x00000001003cb74b js::jit::ICEntry::trace(JSTracer*) + 27 (SharedIC.h:646)
2 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x000000010021e963 js::jit::IonScript::trace(JSTracer*) + 195 (Ion.cpp:1086)
3 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x0000000100606d35 JSScript::setIonScript(JSContext*, js::jit::IonScript*) + 101 (jsscript.cpp:1550)
4 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x00000001002319bd js::jit::FinishInvalidation(js::FreeOp*, JSScript*) + 61 (Heap.h:1436)
5 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x000000010059d7f6 js::ReleaseAllJITCode(js::FreeOp*) + 470 (jsgc.cpp:7047)
6 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x0000000100535c0a JS_SetGlobalJitCompilerOption(JSRuntime*, JSJitCompilerOption, unsigned int) + 378 (jsapi.cpp:5818)
7 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x00000001007264b9 SetJitCompilerOption(JSContext*, unsigned int, JS::Value*) + 521 (TestingFunctions.cpp:1752)
8 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x000000010074f8c2 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 786 (jscntxtinlines.h:236)
9 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x00000001007500fb js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:512)
10 js-dbg-64-dm-darwin-d7a0ad85d9fb 0x000000010018f57b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2811 (BaselineIC.cpp:6184)
11 ??? 0x0000000101df52db 0 + 4326380251
12 ??? 0x0000000103e2bec0 0 + 4360158912
|
Reporter | |
Comment 1•10 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20151117080511" and the hash "fe34d01fb2ecb2dd4cda82e788cf7b541d5cbdb4".
The "bad" changeset has the timestamp "20151117094304" and the hash "c6139e8bad12b756a178dd7eb005c82cf247bd43".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=fe34d01fb2ecb2dd4cda82e788cf7b541d5cbdb4&tochange=c6139e8bad12b756a178dd7eb005c82cf247bd43
Hannes, is bug 1214508 a likely regressor?
Blocks: 1214508
Flags: needinfo?(hv1989)
|
||
Comment 2•10 years ago
|
||
Verified fixed by bug 1234663
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•