Closed
Bug 835495
Opened 11 years ago
Closed 8 years ago
Crash [@ JSString::isAtom]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision 80fed51ae074 (no options required): try { this.watch("x", '' .concat); for(var x in f1) { f1[x]; }; } catch(exc1) {} for (var i = (null ); i < 100; ++i) { x += 5; }
Reporter | ||
Comment 1•11 years ago
|
||
Crash Trace: ==5136== Invalid read of size 4 ==5136== at 0x804DB56: JSString::isAtom() const (String.h:380) ==5136== by 0x834A459: JSString* js::ConcatStrings<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType) (String.cpp:305) ==5136== by 0x82502E3: str_concat(JSContext*, unsigned int, JS::Value*) (jsstr.cpp:3075) ==5136== by 0x81745A6: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:353) ==5136== by 0x817E609: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:390) ==5136== by 0x80AFAA4: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:131) ==5136== by 0x817E97D: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:437) ==5136== by 0x8316D9F: obj_watch_handler(JSContext*, JSObject*, jsid, JS::Value, JS::Value*, void*) (Object.cpp:560) ==5136== by 0x82A776A: js::WatchpointMap::triggerWatchpoint(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) (jswatchpoint.cpp:150) ==5136== by 0x81BC1B2: js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, int) (jsobj.cpp:3908) ==5136== by 0x817A661: js::SetNameOperation(JSContext*, JSScript*, unsigned char*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) (jsinterpinlines.h:499) ==5136== by 0x8185E47: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2256) ==5136== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a46bc920998d).
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:update,bisectfix]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Comment 3•8 years ago
|
||
More than 3 years old, WFM now with various JIT flags.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•