Closed
Bug 271718
Opened 20 years ago
Closed 18 years ago
another crash on infinite loop creating new arrays [@ js_NewObject]
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
WORKSFORME
mozilla1.8beta4
People
(Reporter: Biesinger, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5)
Crash Data
Attachments
(5 files)
testcase is still attachment 167017 [details]
loading that file now crashed in a different location
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1081527136 (LWP 4420)]
0x401e592d in js_NewObject (cx=0x8623940, clasp=0x4022cfa0, proto=0xbe89538,
parent=0x83e5b30)
at /home/chb/mozilla/js/src/jsobj.c:1798
1798 if (proto &&
Current language: auto; currently c
#0 0x401e592d in js_NewObject (cx=0x8623940, clasp=0x4022cfa0, proto=0xbe89538,
parent=0x83e5b30)
at /home/chb/mozilla/js/src/jsobj.c:1798
#1 0x401cdef3 in js_Interpret (cx=0x8623940, result=0xbfffd600) at
/home/chb/mozilla/js/src/jsinterp.c:3178
[...]
1798 if (proto &&
1799 (map = proto->map)->ops == ops &&
(gdb) print *proto
$1 = {map = 0x0, slots = 0x0}
|
Reporter | |
Comment 1•20 years ago
|
||
|
|
Reporter | |
Comment 2•20 years ago
|
||
|
|
Reporter | |
Updated•20 years ago
|
Summary: another crash on infinite loop creating new arrays → another crash on infinite loop creating new arrays [@ js_NewObject]
|
Assignee | |
Comment 3•20 years ago
|
||
Marking dependency on bug containing the testcase. This may be a separate bug, or another symptom of the same bug (in which case, DUP). /be
Depends on: 271716
|
||
Comment 4•19 years ago
|
||
seamonkey 1.8 winxpsp2 stack running js1_5/Regress/regress-271716-n.js online. Note does not crash a trunk smopt js shell from yesterday with or without -S 512888.
|
|
||
Comment 5•19 years ago
|
||
This stacktrace is from loading attachment 167017 [details]. It appears after interacting
with the chrome and appears to be related to lack of OOM handling in XBL.|
|
Reporter | |
Comment 6•19 years ago
|
||
Hm... I seem to be unable to crash now with: checkout finish: Don Mär 3 01:38:48 CET 2005 linux, seamonkey, gtk2/xft fixed by bug 271716?
|
|
Reporter | |
Comment 7•19 years ago
|
||
I crashed now at #0 0x00cbce6b in js_GetGCThingFlags (thing=0xdadadad8) with bc's testcase...
|
|
||
Comment 8•19 years ago
|
||
Should we mark this as a dupe of bug 271716 and open a new bug on the crash during out of memory reporting or morph this bug?
QA Contact: pschwartau → moz
|
||
Comment 9•19 years ago
|
||
*** Bug 300234 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Comment 10•19 years ago
|
||
Taking. /be
Assignee: general → brendan
Flags: blocking-aviary1.1+
Keywords: js1.5
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta4
|
|
||
Updated•19 years ago
|
Flags: testcase?
|
||
Updated•19 years ago
|
Flags: blocking-aviary1.5+ → blocking1.9a1?
|
|
||
Updated•19 years ago
|
Flags: testcase? → testcase+
|
|
Assignee | |
Comment 11•18 years ago
|
||
Bob, does this still reproduce? /be
|
|
||
Comment 12•18 years ago
|
||
works for me on 1.8*,1.9 all platforms. only reproducible on 1.7*. I'll review bugs with testcases for others to mark as wfm.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
|
||
Updated•17 years ago
|
Flags: blocking1.9a1?
|
||
Updated•13 years ago
|
Crash Signature: [@ js_NewObject]
You need to log in
before you can comment on or make changes to this bug.
Description
•