Closed
Bug 496270
Opened 14 years ago
Closed 14 years ago
TM: crash [@ js_ValueToNumber] or [@ JS_Enumerate]; corrupted array?
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta4-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
1.38 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
+[(e = {}, (function () e)()) for each (e in ["", {}, "", {}, ""])][4];
Crash [@ js_ValueToNumber] touching 0x20000000
+[(e = {}, (function () e)()) for each (e in ["", {}, "", {}, ""])];
Crash [@ JS_Enumerate] touching 0x20000000
|
||
Comment 1•14 years ago
|
||
jit or no jit? or both?
|
|
||
Comment 2•14 years ago
|
||
JIT only, confirmed TM tip.
|
||
Comment 3•14 years ago
|
||
autoBisect shows this is probably related to bug 494269 : The first bad revision is: changeset: 28896:a16ed38ff63a user: David Mandelin date: Wed Jun 03 11:19:20 2009 -0700 summary: Bug 494269: trace JSOP_LAMBDA_FC, r=brendan,gal
|
Assignee | |
Comment 4•14 years ago
|
||
Still grinding away on this. Somehow a pointer to a bogus JSObject (junk instead of actual object data) gets stored to position 3 on the trace native stack. It appears to be code generated for a JSOP_NEXTITER. No idea why this happens yet.
|
|
Assignee | |
Comment 5•14 years ago
|
||
Caused by C++ semantics bustage on my part.
Assignee: general → dmandelin
Attachment #381874 -
Flags: review?(gal)
|
|
||
Comment 6•14 years ago
|
||
Comment on attachment 381874 [details] [diff] [review] Patch I would prefer not to use the tracker of "in-range" checks. Its safe here accidentally.
Attachment #381874 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 7•14 years ago
|
||
Pushed to TM as a6f9df8c33a9.
|
||
Updated•14 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Comment 8•14 years ago
|
||
(In reply to comment #7) > Pushed to TM as a6f9df8c33a9. Marking `fixed-in-tracemonkey` in whiteboard.
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/a6f9df8c33a9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•14 years ago
|
||
fixed on 192 a while back http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a6f9df8c33a9
status1.9.2:
--- → final-fixed
|
||
Updated•13 years ago
|
status1.9.1:
--- → unaffected
Flags: wanted1.9.0.x-
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Updated•12 years ago
|
Crash Signature: [@ js_ValueToNumber]
[@ JS_Enumerate]
|
||
Comment 12•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•