Closed Bug 452346 Opened 14 years ago Closed 14 years ago

Crash [@ Balloc]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

Fix?
378 bytes, patch
crowderbt
: review+
Details | Diff | Splinter Review 
./js -j
js> for (j=0;j<2;++j) (0.1).toPrecision(30)

Crash [@ Balloc] trying to dereference the bogus address 0x35313131.
Oops, this happens even with -j off.
No longer blocks: landtm
Attached patch Fix?Splinter Review 
This appears to be a latent bug in the new dtoa: sizeof i can't be the right test. The rest of this is that we're not allocating a nearly large enough chunk of memory and scribbling all over the free list.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #335663 - Flags: review?(crowder)
Comment on attachment 335663 [details] [diff] [review]
Fix?

Ugh, no...  this is a bug I must've accidentally introduced trying to kill compiler warnings.  Thanks for fixing.
Attachment #335663 - Flags: review?(crowder) → review+
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Summary: Crash [@ Balloc] → TM: Crash [@ Balloc]
Summary: TM: Crash [@ Balloc] → Crash [@ Balloc]
Jesse, I thought the convention was to add TM: to the summary for tracemonkey/jit related bugs regardless of repository.
This bug happens even without the JIT enabled.  See comment 1.
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452346.js,v  <--  regress-452346.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/pushloghtml
Flags: in-testsuite+
Flags: in-litmus-
Crash Signature: [@ Balloc]
You need to log in before you can comment on or make changes to this bug.