Closed
Bug 450830
Opened 16 years ago
Closed 16 years ago
TM: Crash when compiling iterator code.
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: gal, Unassigned)
References
Details
count=8; tryItOut("for (var oncx = 0; oncx < 3; ++oncx) { yield eval(\" \\\"\\\" \", <y><z/></y>); } "); It's an iterator! recording starting from fuzz.js:599@9 trace import vp=0x3402c8 name=$callee0 type=object flags=0 import vp=0x3402cc name=$this0 type=object flags=0 import vp=0x3402d0 name=$<anonymous>.oncx type=int flags=0 abort: 3473: fp->scopeChain is not global object Abort recording (line 599, pc 9): JSOP_CALLNAME. Trashing tree info. recording starting from fuzz.js:753@93 trace import vp=0x835320 name=$callee0 type=object flags=0 import vp=0x835324 name=$this0 type=object flags=0 import vp=0x835328 name=$tryIteration.rv type=object flags=0 import vp=0x8353a4 name=$tryIteration.iterCount type=int flags=0 import vp=0x8353a8 name=$tryIteration.iterValue type=string flags=0 import vp=0x8353ac name=$stack0 type=object flags=0 state = param ecx param1 = param edx sp = ld state[0] rp = ld state[4] cx = ld state[12] gp = ld state[8] eos = ld state[JSVAL_ERROR_COOKIE] eor = ld state[20] $callee0 = ld sp[-40] $this0 = ld sp[-32] $tryIteration.rv = ld sp[-24] ld1 = ld sp[-16] $tryIteration.iterCount = i2f ld1 $tryIteration.iterValue = ld sp[-8] $stack0 = ld sp[0] FastCallIteratorNext1 = FastCallIteratorNext ( cx $stack0 ) eq1 = eq FastCallIteratorNext1, JSVAL_ERROR_COOKIE xt1: xt eq1 -> 0x306fed sp+8 rp+0 eq2 = eq FastCallIteratorNext1, JSVAL_HOLE eq3 = eq eq2, 0 or1 = or $tryIteration.iterValue, JSVAL_STRING cmov1 = eq3 ? FastCallIteratorNext1 : or1 and1 = and cmov1, JSVAL_TAGMASK eq4 = eq and1, JSVAL_STRING xf1: xf eq4 -> 0x306fed sp+8 rp+0 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x00121e99 in nanojit::LIns::isop (this=0x0, o=nanojit::LIR_i2f) at LIR.h:311 311 bool isop(LOpcode o) const { return u.code == o; } (gdb) bt #0 0x00121e99 in nanojit::LIns::isop (this=0x0, o=nanojit::LIR_i2f) at LIR.h:311 #1 0x0010d6da in isPromoteInt (i=0x0) at jstracer.cpp:275 #2 0x00122e54 in FuncFilter::ins2 (this=0x341a30, v=nanojit::LIR_fadd, s0=0x0, s1=0x1020138) at jstracer.cpp:359 #3 0x00114a55 in TraceRecorder::inc (this=0x341930, v=@0x3402d0, v_ins=@0xbfffbe3c, incr=1, pre=true) at jstracer.cpp:2148 #4 0x00114b45 in TraceRecorder::inc (this=0x341930, v=@0x3402d0, incr=1, pre=true) at jstracer.cpp:2129 #5 0x0011c4a3 in TraceRecorder::record_JSOP_INCLOCAL (this=0x341930) at jstracer.cpp:4219 #6 0x0008597b in js_Interpret (cx=0x300ca0) at jsopcode.tbl:233 #7 0x00092a7e in SendToGenerator (cx=0x300ca0, op=JSGENOP_NEXT, obj=0x2537c0, gen=0x340250, arg=22) at jsiter.cpp:874 #8 0x00093000 in generator_op (cx=0x300ca0, op=JSGENOP_NEXT, vp=0x8353d0, argc=0) at jsiter.cpp:987 #9 0x00093068 in generator_next (cx=0x300ca0, argc=0, vp=0x8353d0) at jsiter.cpp:1002 #10 0x0008fa5e in js_Invoke (cx=0x300ca0, argc=0, vp=0x8353d0, flags=0) at jsinterp.cpp:1187 #11 0x00090132 in js_InternalInvoke (cx=0x300ca0, obj=0x2537c0, fval=2408784, flags=0, argc=0, argv=0x0, rval=0xbfffdb80) at jsinterp.cpp:1379 #12 0x0009230d in js_CallIteratorNext (cx=0x300ca0, iterobj=0x2537c0, rval=0xbfffdb80) at jsiter.cpp:613 #13 0x000629b9 in js_Interpret (cx=0x300ca0) at jsinterp.cpp:3181 #14 0x0008e9e7 in js_Execute (cx=0x300ca0, chain=0x23e000, script=0x838e00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1545 #15 0x00018e20 in JS_ExecuteScript (cx=0x300ca0, obj=0x23e000, script=0x838e00, rval=0x0) at jsapi.cpp:4942 #16 0x00002afe in Process (cx=0x300ca0, obj=0x23e000, filename=0xbffffa14 "fuzz.js", forceTTY=0) at js.cpp:277 #17 0x0000830e in ProcessArgs (cx=0x300ca0, obj=0x23e000, argv=0xbffff918, argc=2) at js.cpp:568 #18 0x00009484 in main (argc=2, argv=0xbffff918, envp=0xbffff924) at js.cpp:3983
Comment 2•16 years ago
|
||
The testcase in the dup WFM. I turned the iteration stuff in the fuzzer back on and didn't find any crashes/assertions in the first few seconds. If I do find anything, it will be a new bug :)
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•