Closed Bug 457336 Opened 16 years ago Closed 16 years ago

TM: JIT - crash [@ js_Any_setelem]

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: bc, Assigned: gal)

References

()

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

m-c, content jit, debug browser, 32bit linux

#5  <signal handler called>
#6  0x00b67def in js_Any_setelem_int (cx=0xa92c958, obj=0x1, index=1, 
    v=175157984)
    at /work/mozilla/builds/1.9.1/mozilla/js/src/jsbuiltins.cpp:558
#7  0x005e38c7 in ?? ()
#8  0x00000001 in ?? ()
#9  0x0a70b2e0 in ?? ()
#10 0xbfd32320 in ?? ()
#11 0x005e38a4 in ?? ()
#12 0x00000000 in ?? ()
Flags: in-testsuite+
Flags: in-litmus-
Do you have a test case for this for the shell?
Assignee: general → gal
Nope. browser only.
Reproduced in the shell. Debugging.
Simplified test case.

var a = new Array(10);
for (var i = 0; i < 10; ++i)
      a[i] = { 0: true, 1: {} };
Further simplified:

for (var i = 0; i < 10; ++i)
    ({ 0: 5, 1: 5 });
Comment on attachment 340676 [details] [diff] [review]
Cleanup SETELEM, box early (in case we side exit on that) and don't set return value if INITELEM or followed by POP.

With the if-else flip you mentioned, r=me.

/be
Attachment #340676 - Flags: review?(brendan) → review+
http://hg.mozilla.org/tracemonkey/rev/cfa7088079da
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_Any_setelem]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: