Closed
Bug 582451
Opened 14 years ago
Closed 14 years ago
Crash in [@ js_IsDensePrimitiveArray ]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: marcia, Assigned: gal)
References
()
Details
(Keywords: crash, regression, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
620 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
Seen while running Mozilla/5.0 (Windows; Windows NT 5.1; rv:2.0b3pre) Gecko/20100727 Minefield/4.0b3pre STR: 1. Load site in URL. 2. Crash 100% Does not crash using FF 3.6.8. https://crash-stats.mozilla.com/report/index/bp-c422e063-cd6f-4a55-a7ef-f29152100727 Frame Module Signature [Expand] Source 0 mozjs.dll js_IsDensePrimitiveArray js/src/jsarray.cpp:3328 1 xul.dll nsContentUtils::ReparentClonedObjectToScope content/base/src/nsContentUtils.cpp:5878 2 xul.dll nsDOMWorkerMessageEvent::GetData dom/src/threads/nsDOMWorkerEvents.cpp:299 3 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 4 xul.dll XPC_WN_GetterSetter js/src/xpconnect/src/xpcwrappednativejsops.cpp:1840 5 mozjs.dll Invoke<int > js/src/jsinterp.cpp:591 6 mozjs.dll js_Invoke js/src/jsinterp.cpp:693 7 mozjs.dll js_InternalInvoke js/src/jsinterp.cpp:739 8 mozjs.dll js_GetPropertyHelper js/src/jsobj.cpp:4922 9 mozjs.dll js_Interpret js/src/jsops.cpp:1491 10 mozjs.dll Invoke<int > js/src/jsinterp.cpp:602 11 mozjs.dll js_Invoke js/src/jsinterp.cpp:693 12 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1689 13 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:570 14 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 15 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 16 xul.dll nsDOMWorkerMessageHandler::DispatchEvent dom/src/threads/nsDOMWorkerMessageHandler.cpp:329
|
Reporter | |
Comment 1•14 years ago
|
||
http://tinyurl.com/2ecxarh indicates there are a few Mac crashes as well, so changing to all.
OS: Windows XP → All
Hardware: x86 → All
|
||
Comment 2•14 years ago
|
||
Sounds like obj->dslots is null even though length is nonzero. Gal has been in this code recently, I think.
|
Assignee | |
Comment 3•14 years ago
|
||
I don't think my code was merged yet, but yeah, I looked at this recently.
|
|
Assignee | |
Updated•14 years ago
|
Assignee: general → gal
|
|
Assignee | |
Comment 4•14 years ago
|
||
Wow, that code is totally wrong:
jsuint length = obj->getArrayLength();
for (jsuint i = 0; i < length; i++) {
if (obj->dslots[i].isObject())
return JS_FALSE;
}|
|
Assignee | |
Comment 5•14 years ago
|
||
capacity is in fslots now, so its safe to always read it and its ok to ignore length, slots past length will be holes, which are primitive.
Attachment #460773 -
Flags: review?(brendan)
|
||
Updated•14 years ago
|
Attachment #460773 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 6•14 years ago
|
||
Marcia, thanks for the report. Was really easy to identify and fix based on the stack you posted. http://hg.mozilla.org/tracemonkey/rev/d7c7ba27b84e
Whiteboard: fixed-in-tracemonkey
|
||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d7c7ba27b84e
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js_IsDensePrimitiveArray ]
|
||
Comment 8•10 years ago
|
||
Issue is resolved - clearing old keywords - qa-wanted clean-up
Keywords: regressionwindow-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•