Closed Bug 506178 Opened 15 years ago Closed 15 years ago

TM: Crash [@ js_GetClosureArg]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 506018
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

v = let(f = function (y) {
    let(f = function (g) {
        for each(let h in g) {
            if (y > 4) {
                with(1) {}
            }
        }
    }) {
        f([0, 0, 0])
    }
}) print(f())

crashes TM tip dbg js shell with -j at js_GetClosureArg at null. Doesn't seem to affect 1.9.1 branch.
Flags: blocking1.9.2?
Affects opt js shell too.

autoBisect shows this is probably related to bug 496240 :

The first bad revision is:
changeset:   30380:b75efc9ee5b1
user:        David Mandelin
date:        Tue Jul 21 16:22:36 2009 -0700
summary:     Bug 496240: trace JSOP_NAME for active (on-stack) closures, r=gal

Though it crashes at null - there's two memory address entries on the stack.

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   js-dbg-tm-darwin              	0x000e3a30 js_GetClosureArg(JSContext*, JSObject*, unsigned int, unsigned int, unsigned int, double*) + 128
1   ???                           	0x00186f2d 0 + 1601325
2   ???                           	0xbffff268 0 + 3221221992
3   js-dbg-tm-darwin              	0x000f7c1e js_MonitorLoopEdge(JSContext*, unsigned int&) + 1326
4   js-dbg-tm-darwin              	0x00055172 js_Interpret + 44610
5   js-dbg-tm-darwin              	0x0005a157 js_Execute + 407
6   js-dbg-tm-darwin              	0x0000e52c JS_ExecuteScript + 60
7   js-dbg-tm-darwin              	0x00003fea Process(JSContext*, JSObject*, char*, int) + 1338
8   js-dbg-tm-darwin              	0x000077cf main + 879
9   js-dbg-tm-darwin              	0x000022db _start + 209
10  js-dbg-tm-darwin              	0x00002209 start + 41
Blocks: 496240
dupe of bug 506018?
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
Yeah, it's a dup.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Flags: in-testsuite?
fixed by the dupe on 192
status1.9.2: --- → beta1-fixed
Crash Signature: [@ js_GetClosureArg]
You need to log in before you can comment on or make changes to this bug.