Closed Bug 271718 Opened 20 years ago Closed 19 years ago

another crash on infinite loop creating new arrays [@ js_NewObject]

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla1.8beta4

People

(Reporter: Biesinger, Assigned: brendan)

References

(
URL
)

Details

(Keywords: crash, js1.5)

Crash Data

Attachments

(5 files)

stacktrace
5.85 KB, text/plain
Details
stacktrace with local vars
16.62 KB, text/plain
Details
stacktrace from testcase js1_5/Regress/regress-271716-n.js
4.60 KB, text/plain
Details
stacktrace from attachment attachment 167017
6.28 KB, text/plain
Details
stack from regress-271716-n.js
27.94 KB, text/plain
Details
testcase is still attachment 167017 [details] loading that file now crashed in a different location Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1081527136 (LWP 4420)] 0x401e592d in js_NewObject (cx=0x8623940, clasp=0x4022cfa0, proto=0xbe89538, parent=0x83e5b30) at /home/chb/mozilla/js/src/jsobj.c:1798 1798 if (proto && Current language: auto; currently c #0 0x401e592d in js_NewObject (cx=0x8623940, clasp=0x4022cfa0, proto=0xbe89538, parent=0x83e5b30) at /home/chb/mozilla/js/src/jsobj.c:1798 #1 0x401cdef3 in js_Interpret (cx=0x8623940, result=0xbfffd600) at /home/chb/mozilla/js/src/jsinterp.c:3178 [...] 1798 if (proto && 1799 (map = proto->map)->ops == ops && (gdb) print *proto $1 = {map = 0x0, slots = 0x0}
Summary: another crash on infinite loop creating new arrays → another crash on infinite loop creating new arrays [@ js_NewObject]
Marking dependency on bug containing the testcase. This may be a separate bug, or another symptom of the same bug (in which case, DUP). /be
Depends on: 271716
seamonkey 1.8 winxpsp2 stack running js1_5/Regress/regress-271716-n.js online. Note does not crash a trunk smopt js shell from yesterday with or without -S 512888.
This stacktrace is from loading attachment 167017 [details]. It appears after interacting with the chrome and appears to be related to lack of OOM handling in XBL.
Hm... I seem to be unable to crash now with: checkout finish: Don Mär 3 01:38:48 CET 2005 linux, seamonkey, gtk2/xft fixed by bug 271716?
I crashed now at #0 0x00cbce6b in js_GetGCThingFlags (thing=0xdadadad8) with bc's testcase...
Should we mark this as a dupe of bug 271716 and open a new bug on the crash during out of memory reporting or morph this bug?
QA Contact: pschwartau → moz
*** Bug 300234 has been marked as a duplicate of this bug. ***
Taking. /be
Assignee: general → brendan
Flags: blocking-aviary1.1+
Keywords: js1.5
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta4
Flags: testcase?
Flags: blocking-aviary1.5+ → blocking1.9a1?
Flags: testcase? → testcase+
Bob, does this still reproduce? /be
works for me on 1.8*,1.9 all platforms. only reproducible on 1.7*. I'll review bugs with testcases for others to mark as wfm.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Flags: blocking1.9a1?
Crash Signature: [@ js_NewObject]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: