Closed Bug 519359 Opened 15 years ago Closed 15 years ago

TM: Crash [@ argSlots] or [@ TypeMap::captureTypes]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 519129

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr])

Crash Data

(function(){eval("for(l in[0,0,0]){}",0)})() crashes debug js shell with -j on TM tip at argSlots near null and opt js shell with -j on TM tip at TypeMap::captureTypes near null. autoBisect shows this is probably related to bug 495325: The first bad revision is: changeset: 33133:de72243414cd user: Blake Kaplan date: Mon Aug 17 18:08:20 2009 -0700 summary: Bug 495325 - Follow ES about indirect eval being global eval. r=brendan/igor
Opt crash stack: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000020 Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x000f4d9d TypeMap::captureTypes(JSContext*, JSObject*, Queue<unsigned short>&, unsigned int) + 141 1 js-opt-tm-darwin 0x000ff15c RecordTree(JSContext*, JSTraceMonitor*, VMFragment*, unsigned char*, unsigned int, JSObject*, unsigned int, Queue<unsigned short>*, unsigned int) + 620 2 js-opt-tm-darwin 0x0010337a js_MonitorLoopEdge(JSContext*, unsigned int&) + 2074 3 js-opt-tm-darwin 0x00059f1c js_Interpret + 46988 4 js-opt-tm-darwin 0x0005e151 js_Execute + 385 5 js-opt-tm-darwin 0x0006e03a obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 1930 6 js-opt-tm-darwin 0x0005e8d9 js_Invoke + 1113 7 js-opt-tm-darwin 0x00054c92 js_Interpret + 25858 8 js-opt-tm-darwin 0x0005e151 js_Execute + 385 9 js-opt-tm-darwin 0x0000d86c JS_ExecuteScript + 60 10 js-opt-tm-darwin 0x000043ba Process(JSContext*, JSObject*, char*, int) + 1338 11 js-opt-tm-darwin 0x0000793f main + 879 12 js-opt-tm-darwin 0x00001cab _start + 209 13 js-opt-tm-darwin 0x00001bd9 start + 41 === Debug crash stack: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000020 Crashed Thread: 0 Thread 0 Crashed: 0 js-dbg-tm-darwin 0x00130a39 argSlots(JSStackFrame*) + 15 1 js-dbg-tm-darwin 0x0013b461 NativeStackSlots(JSContext*, unsigned int) + 147 2 js-dbg-tm-darwin 0x0015aa7c TypeMap::captureTypes(JSContext*, JSObject*, Queue<unsigned short>&, unsigned int) + 32 3 js-dbg-tm-darwin 0x0015adc1 RecordTree(JSContext*, JSTraceMonitor*, VMFragment*, unsigned char*, unsigned int, JSObject*, unsigned int, Queue<unsigned short>*, unsigned int) + 677 4 js-dbg-tm-darwin 0x0016005c js_MonitorLoopEdge(JSContext*, unsigned int&) + 652 5 js-dbg-tm-darwin 0x000738a6 js_Interpret + 11250 6 js-dbg-tm-darwin 0x000998e9 js_Execute + 1143 7 js-dbg-tm-darwin 0x000b1b54 obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 2168 8 js-dbg-tm-darwin 0x0009afb7 js_Invoke + 2421 9 js-dbg-tm-darwin 0x000878ac js_Interpret + 93176 10 js-dbg-tm-darwin 0x000998e9 js_Execute + 1143 11 js-dbg-tm-darwin 0x0001ea3c JS_ExecuteScript + 54 12 js-dbg-tm-darwin 0x0000824b Process(JSContext*, JSObject*, char*, int) + 467 13 js-dbg-tm-darwin 0x00009a8a ProcessArgs(JSContext*, JSObject*, char**, int) + 2276 14 js-dbg-tm-darwin 0x0000b0e3 main + 927 15 js-dbg-tm-darwin 0x00001d3b _start + 209 16 js-dbg-tm-darwin 0x00001c69 start + 41
Whiteboard: [ccbr]
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Flags: in-testsuite?
Blocks: 531675
Crash Signature: [@ argSlots] [@ TypeMap::captureTypes]
You need to log in before you can comment on or make changes to this bug.