Closed
Bug 549396
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ js_GetUpvar]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
x = __defineSetter__("x", function(z) function() { z })
crashes debug and opt js shell builds with -m on JM repo 2e244af372f2 (
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/2e244af372f2
) on 32-bit Mac 10.6.x and 64-bit Linux.
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000010
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 js-dbg-32-jm-darwin 0x0009da6f js_GetUpvar + 76
1 js-dbg-32-jm-darwin 0x000662bd js_NewFlatClosure + 265
2 js-dbg-32-jm-darwin 0x001e10df js::jsl_LambdaFC(js::VMFrame&) + 83
3 ??? 0x0074147b 0 + 7607419
4 js-dbg-32-jm-darwin 0x001d82ad js::methodjit::JaegerShot(JSContext*) + 198
5 js-dbg-32-jm-darwin 0x000a06c4 js_Invoke + 2347
6 js-dbg-32-jm-darwin 0x000a0b76 js_InternalInvoke + 197
7 js-dbg-32-jm-darwin 0x000a0c96 js_InternalGetOrSet + 103
8 js-dbg-32-jm-darwin 0x000bebcb JSScopeProperty::set(JSContext*, JSObject*, long*) + 167
9 js-dbg-32-jm-darwin 0x000b0269 js_NativeSet + 634
10 js-dbg-32-jm-darwin 0x000b2178 js_SetPropertyHelper + 2285
11 js-dbg-32-jm-darwin 0x0008c497 js_Interpret + 85188
12 js-dbg-32-jm-darwin 0x0009f988 js_Execute + 1268
13 js-dbg-32-jm-darwin 0x000122a3 JS_ExecuteScript + 54
14 js-dbg-32-jm-darwin 0x0000af78 Process(JSContext*, JSObject*, char*, int) + 458 (js.cpp:449)
15 js-dbg-32-jm-darwin 0x0000bcee ProcessArgs(JSContext*, JSObject*, char**, int) + 2325 (js.cpp:868)
16 js-dbg-32-jm-darwin 0x0000c0bb main + 953 (js.cpp:4880)
17 js-dbg-32-jm-darwin 0x00003191 _start + 208
18 js-dbg-32-jm-darwin 0x000030c0 start + 40
|
Reporter | |
Updated•15 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/e2f5cd385345
test case as http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/b6ad535c855b
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Blocks: JaegerFuzz
|
||
Updated•14 years ago
|
Crash Signature: [@ js_GetUpvar]
|
||
Comment 2•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug549396.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•