Closed
Bug 1196579
Opened 9 years ago
Closed 9 years ago
Crash [@ exactCapacityIndex]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
|
3.58 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 90d9b7c391d3 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --baseline-eager --unboxed-arrays):
setJitCompilerOption("ion.warmup.trigger", 30);
var spaces = [
"\u0009", "\u000b", "\u000c", "\u0020", "\u00a0", "\u1680",
"\u180e", "\u2000", "\u2001", "\u2002", "\u2003", "\u2004",
"\u2005", "\u2006", "\u2007", "\u2008", "\u2009", "\u200a",
];
var line_terminators = [ "\u2028", "\u2029", "\u000a", "\u000d" ];
var space_chars = [].concat(spaces, line_terminators);
var non_space_chars = [ "\u200b", "\u200c", "\u200d" ];
var chars = [].concat(space_chars, non_space_chars);
var is_space = [].concat(space_chars.map(function(ch) { return true; }),
non_space_chars.map(function() { return false; }));
chars.map(function(ch) {}).join(',');
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000007a1a23 in exactCapacityIndex (capacity=<optimized out>) at js/src/vm/UnboxedObject.cpp:1294
#0 0x00000000007a1a23 in exactCapacityIndex (capacity=<optimized out>) at js/src/vm/UnboxedObject.cpp:1294
#1 js::UnboxedArrayObject::create (cx=0x7ffff6907000, group=..., length=25, newKind=<optimized out>, maxLength=<optimized out>) at js/src/vm/UnboxedObject.cpp:1047
#2 0x000000000050ceef in js::NewFullyAllocatedArrayForCallingAllocationSite (cx=cx@entry=0x7ffff6907000, length=25, newKind=newKind@entry=js::GenericObject, forceAnalyze=forceAnalyze@entry=false) at js/src/jsarray.cpp:3493
#3 0x000000000071a49b in js::intrinsic_NewDenseArray (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7fffffffc090) at js/src/vm/SelfHosting.cpp:307
#4 0x00007ffff7ff5748 in ?? ()
#5 0x00007ffff3400530 in ?? ()
#6 0x00007fffffffc068 in ?? ()
#7 0x00007fffffffc158 in ?? ()
#8 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff3400950 140737274448208
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffbf70 140737488338800
rsp 0x7fffffffbf30 140737488338736
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffbcf0 140737488338160
r11 0x7ffff6c27960 140737333328224
r12 0x19 25
r13 0x1af7340 28275520
r14 0x7ffff6907000 140737330049024
r15 0x6 6
rip 0x7a1a23 <js::UnboxedArrayObject::create(js::ExclusiveContext*, JS::Handle<js::ObjectGroup*>, unsigned int, js::NewObjectKind, unsigned int)+659>
=> 0x7a1a23 <js::UnboxedArrayObject::create(js::ExclusiveContext*, JS::Handle<js::ObjectGroup*>, unsigned int, js::NewObjectKind, unsigned int)+659>: movl $0x50e,0x0
0x7a1a2e <js::UnboxedArrayObject::create(js::ExclusiveContext*, JS::Handle<js::ObjectGroup*>, unsigned int, js::NewObjectKind, unsigned int)+670>: callq 0x499bc0 <abort()>
|
Assignee | |
Comment 1•9 years ago
|
||
Another missing value for the capacity of an unboxed array with inline storage (I guess I should have written a script to find all of these...)
Assignee: nobody → bhackett1024
Attachment #8651130 -
Flags: review?(jdemooij)
|
||
Updated•9 years ago
|
Attachment #8651130 -
Flags: review?(jdemooij) → review+
|
||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/81259cd97224
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•