Closed
Bug 488848
Opened 16 years ago
Closed 16 years ago
Crash [@ strlen] or "Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 488690
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:dupe 488690])
Crash Data
Attachments
(1 file)
|
237 bytes,
application/x-javascript
|
Details |
The attached testcase tops my weirdest-bug-ever-found-list. I have no idea why but it requires 126 newlines followed by a testcase to crash opt.
It crashes opt js shell without -j at strlen at a scary address and asserts js debug shell without -j at Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp:1818
===
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000001001680
Crashed Thread: 0
Thread 0 Crashed:
0 libSystem.B.dylib 0x95af4e70 strlen + 16
1 js-opt-tm-intelmac 0x0006d079 dosprintf(SprintfStateStr*, char const*, char*) + 3353
2 js-opt-tm-intelmac 0x0006d270 JS_vsmprintf + 68
3 js-opt-tm-intelmac 0x000539f7 Sprint(Sprinter*, char const*, ...) + 33
4 js-opt-tm-intelmac 0x00058c1a Decompile(SprintStack*, unsigned char*, int, JSOp) + 17672
5 js-opt-tm-intelmac 0x0005c963 DecompileCode(JSPrinter*, JSScript*, unsigned char*, unsigned int, unsigned int) + 251
6 js-opt-tm-intelmac 0x0005e08a js_DecompileFunction + 796
7 js-opt-tm-intelmac 0x0000a9c5 JS_DecompileFunction + 67
8 js-opt-tm-intelmac 0x0002ffe3 fun_toStringHelper(JSContext*, unsigned int, unsigned int, long*) + 317
9 js-opt-tm-intelmac 0x00043c2e js_Invoke + 964
10 js-opt-tm-intelmac 0x00044506 js_InternalInvoke + 142
11 js-opt-tm-intelmac 0x000508f5 js_TryMethod + 179
12 js-opt-tm-intelmac 0x00082f7f js_ValueToSource + 267
13 js-opt-tm-intelmac 0x0008323a str_uneval(JSContext*, unsigned int, long*) + 40
14 js-opt-tm-intelmac 0x0003cbf0 js_Interpret + 35568
15 js-opt-tm-intelmac 0x00043736 js_Execute + 572
16 js-opt-tm-intelmac 0x0000c8b4 JS_ExecuteScript + 60
17 js-opt-tm-intelmac 0x000040f8 Process(JSContext*, JSObject*, char*, int) + 1288
18 js-opt-tm-intelmac 0x000067bf main + 863
19 js-opt-tm-intelmac 0x000020bb _start + 209
20 js-opt-tm-intelmac 0x00001fe9 start + 41
Flags: blocking1.9.1?
|
Reporter | |
Comment 1•16 years ago
|
||
autoBisect shows that this is probably related to bug 488015 :
The first bad revision is:
changeset: 27205:78a21b8efe1b
user: Brendan Eich
date: Wed Apr 15 01:57:13 2009 -0700
summary: Bug 488015 - Crash [@ js_GetUpvar ] (also bogus JS errors, also probably Crash [@js_Interpret]) (future r=mrbkap, see bug).
Blocks: 488015
Keywords: regression
|
|
||
Comment 2•16 years ago
|
||
This is probably a dup of 488690 -- making it depend for now.
/be
Depends on: 488690
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Reporter | |
Comment 3•16 years ago
|
||
I'm guessing this is now fixed by bug 488690, which has landed on TM branch.
|
|
||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x-
|
|
||
Updated•16 years ago
|
Group: core-security
Whiteboard: [sg:dupe 488690]
|
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite?
|
||
Updated•14 years ago
|
Crash Signature: [@ strlen]
You need to log in
before you can comment on or make changes to this bug.
Description
•