Closed
Bug 549398
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ js_ComputeThis]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
(function () {
eval("\
for(var z = 0 ; z < 2 ; ++z) {\
this\
}\
", (<x/>))
})()
crashes debug and opt js shell builds with -m on JM repo 2e244af372f2 (
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/2e244af372f2
) on 32-bit Mac 10.6.x and 64-bit Linux. (e4x seems to be required)
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000fffffffc
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 js-dbg-32-jm-darwin 0x0009fb32 js_ComputeThis + 19
1 js-dbg-32-jm-darwin 0x001dc326 js_ComputeThisForFrame + 70
2 js-dbg-32-jm-darwin 0x001dc383 js::jsl_This(js::VMFrame&) + 31
3 ??? 0x00741139 0 + 7606585
4 js-dbg-32-jm-darwin 0x001d82ad js::methodjit::JaegerShot(JSContext*) + 198
5 js-dbg-32-jm-darwin 0x0009f978 js_Execute + 1252
6 js-dbg-32-jm-darwin 0x000bb482 obj_eval(JSContext*, unsigned int, long*) + 2274
7 js-dbg-32-jm-darwin 0x0008e33e js_Interpret + 93035
8 js-dbg-32-jm-darwin 0x001daa60 InlineCall(js::VMFrame&, unsigned int, void**) + 1217
9 js-dbg-32-jm-darwin 0x001db1ec js::jsl_Call(js::VMFrame&) + 280
10 ??? 0x00741066 0 + 7606374
11 js-dbg-32-jm-darwin 0x001d82ad js::methodjit::JaegerShot(JSContext*) + 198
12 js-dbg-32-jm-darwin 0x0009f978 js_Execute + 1252
13 js-dbg-32-jm-darwin 0x000122a3 JS_ExecuteScript + 54
14 js-dbg-32-jm-darwin 0x0000b2f1 Process(JSContext*, JSObject*, char*, int) + 1347 (js.cpp:540)
15 js-dbg-32-jm-darwin 0x0000bcee ProcessArgs(JSContext*, JSObject*, char**, int) + 2325 (js.cpp:868)
16 js-dbg-32-jm-darwin 0x0000c0bb main + 953 (js.cpp:4880)
17 js-dbg-32-jm-darwin 0x00003191 _start + 208
18 js-dbg-32-jm-darwin 0x000030c0 start + 40
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/0f61b487fdef
test case as http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/020831b05767
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Blocks: JaegerFuzz
|
||
Updated•14 years ago
|
Crash Signature: [@ js_ComputeThis]
|
||
Comment 2•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug549398.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•