Closed
Bug 502432
Opened 16 years ago
Closed 16 years ago
Crash [@ JS_HashTableRawLookup]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 501834
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
for (x = 0; x < 3; x++) {
(function() { [z] = #1=[#1#] })()
try{} catch(e){}
(function() { for (x = 0; x < 1; x++){} })()
var f = Function("0*[z]");
f();
}
crashes js opt TM branch without -j at JS_HashTableRawLookup at 0xc0000007, debug as well. Doesn't seem to occur in 1.9.1 branch.
autoBisect coming up.
=====
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000c0000007
Crashed Thread: 0
Thread 0 Crashed:
0 js-opt-tm-intelmac 0x0004924b JS_HashTableRawLookup + 59
1 js-opt-tm-intelmac 0x00015112 array_toString_sub(JSContext*, JSObject*, int, JSString*, long*) + 98
2 js-opt-tm-intelmac 0x000156d4 array_toString(JSContext*, unsigned int, long*) + 132
3 js-opt-tm-intelmac 0x0005a245 js_Invoke + 1637
4 js-opt-tm-intelmac 0x0005aa44 js_InternalInvoke + 164
5 js-opt-tm-intelmac 0x000660b0 js_TryMethod + 208
6 js-opt-tm-intelmac 0x00066324 js_DefaultValue + 500
7 js-opt-tm-intelmac 0x0005f14e js_ValueToNumber + 206
8 js-opt-tm-intelmac 0x00052250 js_Interpret + 35200
9 js-opt-tm-intelmac 0x000598f9 js_Execute + 409
10 js-opt-tm-intelmac 0x0000e88c JS_ExecuteScript + 60
11 js-opt-tm-intelmac 0x000042ca Process(JSContext*, JSObject*, char*, int) + 1338
12 js-opt-tm-intelmac 0x00007aaf main + 879
13 js-opt-tm-intelmac 0x000025bb _start + 209
14 js-opt-tm-intelmac 0x000024e9 start + 41
Flags: blocking1.9.2?
|
Reporter | |
Comment 1•16 years ago
|
||
|
|
Reporter | |
Comment 2•16 years ago
|
||
This may be related to bug 200505 :
The first bad revision is:
changeset: 29670:bf952aed3786
user: Luke Wagner
date: Tue Jun 30 20:19:42 2009 -0400
summary: Bug 200505 - Optimization of jsref array_join_sub() function. r=waldo
Blocks: 200505
|
||
Updated•16 years ago
|
Assignee: general → lw
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Comment 3•16 years ago
|
||
Luke, could you take a look at this?
|
|
Assignee | |
Comment 4•16 years ago
|
||
This was indeed caused by 200505. There is already a [one-line] patch at bug 501834 comment 7. Sorry for the buggyness, hopefully this patch can be added before it bugs anyone else.
|
||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite?
|
|
||
Updated•16 years ago
|
Priority: -- → P1
|
|
||
Comment 6•16 years ago
|
||
fixed on 192 because bug 501834 was fixed before it branched.
status1.9.2:
--- → beta1-fixed
|
||
Updated•14 years ago
|
Crash Signature: [@ JS_HashTableRawLookup]
You need to log in
before you can comment on or make changes to this bug.
Description
•