Crash [@ QuoteString] with !JS_THREADED_INTERP

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
10 years ago
6 years ago

People

(Reporter: timeless, Unassigned)

Tracking

({crash, testcase})

Trunk
crash, testcase
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
Created attachment 351763 [details]
testcase

QuoteString (sp=0xbf943af8, str=0xb0, quote=<value optimized out>)
    at jsopcode.cpp:611
/home/timeless/454561/js/src/jsopcode.cpp:611:17145:beg:0x80bb419
(gdb) bt
#0  QuoteString (sp=0xbf943af8, str=0xb0, quote=<value optimized out>)
    at jsopcode.cpp:611
#1  0x080bb664 in js_QuoteString (cx=0x9aca470, str=0xb0, quote=34)
    at jsopcode.cpp:672
#2  0x080e4d5b in js_ValueToSource (cx=0x9aca470, v=176) at jsstr.cpp:3067
#3  0x080c4564 in js_DecompileValueGenerator (cx=0x9aca470, spindex=-1, v=180,
    fallback=0x0) at jsopcode.cpp:5035
#4  0x080a77c0 in js_TraceOpcode (cx=0x9aca470, len=4) at jsinterp.cpp:2016
#5  0x08083fb8 in js_Interpret (cx=0x9aca470) at jsinterp.cpp:2830
#6  0x080a8ead in js_Execute (cx=0x9aca470, chain=0x9acd000, script=0x9ad5f48,
    down=0x0, flags=0, result=0x0) at jsinterp.cpp:1559
#7  0x08050d1d in JS_ExecuteScript (cx=0x9aca470, obj=0x9acd000,
    script=0x9ad5f48, rval=0x0) at jsapi.cpp:5081
#8  0x0804dacd in Process (cx=0x9aca470, obj=0x9acd000,
    filename=<value optimized out>, forceTTY=0) at js.cpp:280
#9  0x0804e098 in ProcessArgs (cx=0x9aca470, obj=0x9acd000, argv=0xbf9451a8,
    argc=4) at js.cpp:553
#10 0x0804e323 in main (argc=5, argv=0xbf9451a4, envp=0xbf9451bc)
    at js.cpp:4086

note: I hit this on win32, and then had to apply a patch to reproduce this on linux
(Reporter)

Comment 1

10 years ago
Created attachment 351764 [details] [diff] [review]
disable threaded_interp
(Reporter)

Comment 2

10 years ago
simplified testcase:
tracing(1);(function () {if (typeof undefined != "object") {}})();tracing(0);

note that changing any of:
 undefined          => ({})
 !=                 =>  ==
 "object"           => "undefined"
 (function(){       =\
             })()   =/ 

causes the crash to go away.

this also crashes:
tracing(1);(function () {if (typeof ({}) == "object") {}})();tracing(0);
(Reporter)

Comment 3

10 years ago
Created attachment 351767 [details] [diff] [review]
support tracing()

so, i like tracing, and i want certain people to use it. afaict this is all it takes to get that to happen (minus the crash which I'd like fixed).
Attachment #351764 - Attachment is obsolete: true
gal/david, is this related to bug 476653 in any way?

(Asking because timeless already has a patch of some sort..)
Gary: No, this is unrelated.
Keywords: crash, testcase
Testcases in comment #0 and #2 seem to WFM on Mac. Not yet tested on Linux/Win32.
Flags: in-testsuite?
Crash Signature: [@ QuoteString]

Comment 7

6 years ago
tracing() has been removed.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.