Closed
Bug 649261
Opened 13 years ago
Closed 13 years ago
TI: Crash [@JSString::isAtom] // Null pointer dereference
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following testcase crashes on TI revision 23a746dac370 (run with -m -n -a),
tested on 64 bit:
var DESCRIPTION;
eval("DESCRIPTION += \"Non-character escapes in identifiers negative test.\";");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fafc9376720 (LWP 6401)]
0x000000000043ad42 in JSString::isAtom (this=0x0) at ./jsstr.h:345
345 bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS;
(gdb) bt
#0 0x000000000043ad42 in JSString::isAtom (this=0x0) at ./jsstr.h:345
#1 0x00000000005b6046 in js_ConcatStrings (cx=0x1409db0, left=0x0, right=0x7fafc7d10400) at jsstr.cpp:337
#2 0x0000000000796ccd in js::mjit::stubs::Add (f=@0x7fff6fb0df30) at ./methodjit/StubCalls.cpp:1181
#3 0x00007fafc91d72ab in ?? ()
#4 0x00007fafc91d7210 in ?? ()
#5 0x0000000001470f80 in ?? ()
#6 0x00007fff6fb0e470 in ?? ()
#7 0x0000000000000000 in ?? ()
|
||
Comment 5•13 years ago
|
||
For GETGNAME/CALLGNAME ops, didn't record dependencies on the pushed type correctly, so that if it became undefined due to reading a hole we didn't trigger recompilation (JM only looked at the type of the global property itself, which doesn't account for reading holes in the global). http://hg.mozilla.org/projects/jaegermonkey/rev/a4131835b866
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@JSString::isAtom]
|
Reporter | |
Comment 6•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug649261.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•