Closed Bug 452346 Opened 14 years ago Closed 14 years ago
Crash [@ Balloc]
./js -j js> for (j=0;j<2;++j) (0.1).toPrecision(30) Crash [@ Balloc] trying to dereference the bogus address 0x35313131.
Oops, this happens even with -j off.
No longer blocks: landtm
This appears to be a latent bug in the new dtoa: sizeof i can't be the right test. The rest of this is that we're not allocating a nearly large enough chunk of memory and scribbling all over the free list.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #335663 - Flags: review?(crowder)
Comment on attachment 335663 [details] [diff] [review] Fix? Ugh, no... this is a bug I must've accidentally introduced trying to kill compiler warnings. Thanks for fixing.
Attachment #335663 - Flags: review?(crowder) → review+
Pushed to m-c as http://hg.mozilla.org/index.cgi/mozilla-central/rev/976532d183de
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Jesse, I thought the convention was to add TM: to the summary for tracemonkey/jit related bugs regardless of repository.
This bug happens even without the JIT enabled. See comment 1.
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452346.js,v <-- regress-452346.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/pushloghtml
You need to log in before you can comment on or make changes to this bug.