Closed
Bug 452346
Opened 11 years ago
Closed 11 years ago
Crash [@ Balloc]
Categories
(Core :: JavaScript Engine, defect, critical)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(1 file)
|
378 bytes,
patch
|
crowderbt
:
review+
|
Details | Diff | Splinter Review |
./js -j js> for (j=0;j<2;++j) (0.1).toPrecision(30) Crash [@ Balloc] trying to dereference the bogus address 0x35313131.
|
Assignee | |
Comment 2•11 years ago
|
||
This appears to be a latent bug in the new dtoa: sizeof i can't be the right test. The rest of this is that we're not allocating a nearly large enough chunk of memory and scribbling all over the free list.
|
||
Comment 3•11 years ago
|
||
Comment on attachment 335663 [details] [diff] [review] Fix? Ugh, no... this is a bug I must've accidentally introduced trying to kill compiler warnings. Thanks for fixing.
Attachment #335663 -
Flags: review?(crowder) → review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
Pushed to m-c as http://hg.mozilla.org/index.cgi/mozilla-central/rev/976532d183de
|
|
Assignee | |
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Summary: Crash [@ Balloc] → TM: Crash [@ Balloc]
|
Reporter | |
Updated•11 years ago
|
Summary: TM: Crash [@ Balloc] → Crash [@ Balloc]
|
|
||
Comment 5•11 years ago
|
||
Jesse, I thought the convention was to add TM: to the summary for tracemonkey/jit related bugs regardless of repository.
|
|
||
Comment 7•11 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452346.js,v <-- regress-452346.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/pushloghtml
|
|
||
Updated•11 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
|
||
Updated•9 years ago
|
Crash Signature: [@ Balloc]
You need to log in
before you can comment on or make changes to this bug.
Description
•