Closed
Bug 1302394
Opened 8 years ago
Closed 8 years ago
Hit MOZ_CRASH(Unexpected type) at js/src/jit/x86/CodeGenerator-x86.cpp:295 or Crash [@ js::jit::CodeGeneratorX86::visitLoadTypedArrayElementStatic]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1301797
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision cfdb7af3af2e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off):
var arr = new Uint8ClampedArray(1073741824, -1073741824);
for (var j = 0; j < values.length; j++) {
assertEq(arr[1], arr[j]);
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x084da249 in js::jit::CodeGeneratorX86::visitLoadTypedArrayElementStatic (this=0xf1209000, ins=0xf14ff1b0) at js/src/jit/x86/CodeGenerator-x86.cpp:295
#0 0x084da249 in js::jit::CodeGeneratorX86::visitLoadTypedArrayElementStatic (this=0xf1209000, ins=0xf14ff1b0) at js/src/jit/x86/CodeGenerator-x86.cpp:295
#1 0x08350651 in js::jit::LLoadTypedArrayElementStatic::accept (this=0xf14ff1b0, visitor=0xf1209000) at js/src/jit/shared/LIR-shared.h:6041
#2 0x0824060c in js::jit::CodeGenerator::generateBody (this=0xf1209000) at js/src/jit/CodeGenerator.cpp:5148
#3 0x0824114d in js::jit::CodeGenerator::generate (this=0xf1209000) at js/src/jit/CodeGenerator.cpp:9249
#4 0x0826d564 in js::jit::GenerateCode (mir=0xf14f8150, lir=0xf14fcf08) at js/src/jit/Ion.cpp:2010
#5 0x082d653b in js::jit::CompileBackEnd (mir=0xf14f8150) at js/src/jit/Ion.cpp:2032
#6 0x082d70c6 in js::jit::IonCompile (cx=cx@entry=0xf7953000, script=<optimized out>, baselineFrame=baselineFrame@entry=0xffffc3f8, osrPc=0xf13d12a0 "ず", constructing=false, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2303
#7 0x082d77d2 in js::jit::Compile (cx=cx@entry=0xf7953000, script=script@entry=..., osrFrame=osrFrame@entry=0xffffc3f8, osrPc=0xf13d12a0 "ず", constructing=false, forceRecompile=false) at js/src/jit/Ion.cpp:2479
#8 0x082d80f9 in BaselineCanEnterAtBranch (pc=0xf13d12a0 "ず", osrFrame=0xffffc3f8, script=..., cx=0xf7953000) at js/src/jit/Ion.cpp:2666
#9 js::jit::IonCompileScriptForBaseline (cx=0xf7953000, frame=0xffffc3f8, pc=0xf13d12a0 "ず") at js/src/jit/Ion.cpp:2724
#10 0x089c34bc in js::jit::DoWarmUpCounterFallbackOSR (cx=0xf7953000, frame=0xffffc3f8, stub=0xf135d350, infoPtr=0xffffc3e4) at js/src/jit/BaselineIC.cpp:143
#11 0xf7be3dcb in ?? ()
#12 0xf135d350 in ?? ()
#13 0xf7be2ad3 in ?? ()
eax 0x0 0
ebx 0xf14fb120 -246435552
ecx 0xf7da4864 -136689564
edx 0x0 0
esi 0x0 0
edi 0xb1200000 -1323302912
ebp 0xffffbf88 4294950792
esp 0xffffbf00 4294950656
eip 0x84da249 <js::jit::CodeGeneratorX86::visitLoadTypedArrayElementStatic(js::jit::LLoadTypedArrayElementStatic*)+1305>
=> 0x84da249 <js::jit::CodeGeneratorX86::visitLoadTypedArrayElementStatic(js::jit::LLoadTypedArrayElementStatic*)+1305>: movl $0x0,0x0
0x84da253 <js::jit::CodeGeneratorX86::visitLoadTypedArrayElementStatic(js::jit::LLoadTypedArrayElementStatic*)+1315>: ud2
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Comment 2•8 years ago
|
||
Mark 51 fixed as bug 1301797 is fixed.
You need to log in
before you can comment on or make changes to this bug.
Description
•