Closed
Bug 557068
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js::methodjit::JaegerShot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
__defineGetter__("x", Function) Function("\ for each(let y in [Number, x, Number, x]) {\ ''.replace(/a/, y.toSource)\ }\ ")() crashes js debug and opt shell on JM tip with -m at a weird memory address with js::methodjit::JaegerShot near the top of the stack.
Reporter | ||
Comment 1•14 years ago
|
||
Here's another testcase: for each(let x in [0, {}, 0, {}]) { x.valueOf }
Reporter | ||
Comment 2•14 years ago
|
||
And finally, a third one: for each(x in [new Boolean(false), {}, new Boolean(false), new Boolean(false)]) { __defineGetter__("", x.toSource) }
Reporter | ||
Comment 3•14 years ago
|
||
Bonus fourth (pass into shell as a CLI argument): function g(code) { return { z: code.indexOf("") } } function h(code) { wtt = g(code.replace(/s/, "")); try { var f = new Function(code) } catch(e) {} (wtt.z) { try { f() } catch(e) {} } try { Function(code) } catch(e) {} } function() {} function() {} h("__defineGetter__(\"x\",Function(\"gczeal(2)\"))") h("{return x(function(){}[new Boolean])}") h("") h("}") h("")
This looks like a PIC bug.
Comment 5•14 years ago
|
||
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/c5826c0f818f More asm immediates that weren't constant size. Fortunately, Nitro has a feature to fix exactly this problem.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::methodjit::JaegerShot]
Comment 6•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug557068.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•