Closed
Bug 580967
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ js::DefaultValue]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr])
Crash Data
(function(){
(eval("\
(function(){\
if(XML('aa'.replace(/a/g,function(){for(l in[0,0,0]){\
print(this)\
}}))){('')}\
})\
"))()
})()
crashes js debug and opt shell on TM tip with -j at js::DefaultValue.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 40832:3de0a7da3a8e
user: Andreas Gal
date: Sun Apr 11 20:55:22 2010 -0700
summary: Remove lingering defaultValue calls with hint JSTYPE_OBJECT or JSTYPE_FUNCTION (554550, r=brendan).
(gdb) bt
#0 0x00000000 in ?? ()
#1 0x080f5c1b in js::DefaultValue (cx=0x82bd680, obj=0xf7501578, hint=JSTYPE_STRING, vp=0xffffb430) at ../jsobj.cpp:5376
#2 0x08164b37 in js_ValueToString (cx=0x82bd680, arg=...) at ../jsstr.cpp:3443
#3 0x0805b23d in JS_ValueToString (cx=0x82bd680, v=...) at ../jsapi.cpp:427
#4 0x0804d345 in Print (cx=0x82bd680, argc=1, vp=0xffffb4d0) at ../../shell/js.cpp:1046
#5 0xf76aaf09 in ?? ()
#6 0x081b0841 in ExecuteTrace (cx=0x82bd680, f=0x82bcaa4, state=...) at ../jstracer.cpp:6600
#7 0x081b0d7d in ExecuteTree (cx=0x82bd680, f=0x82bcaa4, inlineCallCount=@0xffffc170, innermostNestedGuardp=0xffffb638, lrp=0xffffb63c)
at ../jstracer.cpp:6701
#8 0x081b20f4 in js::MonitorLoopEdge (cx=0x82bd680, inlineCallCount=@0xffffc170, reason=js::Record_Branch) at ../jstracer.cpp:7206
#9 0x08213ccc in js::Interpret (cx=0x82bd680) at ../jsinterp.cpp:2897
#10 0x080d7d6b in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x82bd680, fun=0xf7504d70, script=0x82c3ac8, native=0,
args=..., flags=0) at ../jsinterp.cpp:585
#11 0x080d5608 in js::Invoke (cx=0x82bd680, args=..., flags=0) at ../jsinterp.cpp:676
#12 0x08161f7f in FindReplaceLength (cx=0x82bd680, rdata=..., sizep=0xffffc3f8) at ../jsstr.cpp:2041
#13 0x081622ef in ReplaceCallback (cx=0x82bd680, count=1, p=0xffffc4a4) at ../jsstr.cpp:2119
#14 0x081611f8 in DoMatch (cx=0x82bd680, vp=0xf77af1c0, str=0xf7500fb0, g=..., callback=0x816222e <ReplaceCallback>, data=0xffffc4a4, flags=REPLACE_ARGS)
at ../jsstr.cpp:1755
#15 0x081628ab in str_replace (cx=0x82bd680, argc=2, vp=0xf77af1c0) at ../jsstr.cpp:2200
#16 0x08223ba0 in js::Interpret (cx=0x82bd680) at ../jsinterp.cpp:4741
#17 0x080d5e52 in js::Execute (cx=0x82bd680, chain=0xf7501000, script=0x82c3cb0, down=0x0, flags=0, result=0xffffd1d0) at ../jsinterp.cpp:880
#18 0x0806f82c in JS_ExecuteScript (cx=0x82bd680, obj=0xf7501000, script=0x82c3cb0, rval=0xffffd1d0) at ../jsapi.cpp:4707
#19 0x0804c0db in Process (cx=0x82bd680, obj=0xf7501000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:532
#20 0x0804cc45 in ProcessArgs (cx=0x82bd680, obj=0xf7501000, argv=0xffffd3d8, argc=1) at ../../shell/js.cpp:853
#21 0x080552ad in shell (cx=0x82bd680, argc=1, argv=0xffffd3d8, envp=0xffffd3e0) at ../../shell/js.cpp:4951
#22 0x080553c9 in main (argc=1, argv=0xffffd3d8, envp=0xffffd3e0) at ../../shell/js.cpp:5038
(gdb) x/i $eip
=> 0x0: Cannot access memory at address 0x0
|
Reporter | |
Updated•15 years ago
|
OS: Linux → All
Hardware: x86 → All
|
||
Updated•15 years ago
|
blocking2.0: ? → betaN+
|
|
||
Comment 1•15 years ago
|
||
Cannot reproduce on TM tip (19f70f8c2b88) -j in debug shell. I also tried varying the number of elements in the array 7, 8, and 9 to account for HOTLOOP being bumped to 8.
|
||
Comment 2•15 years ago
|
||
I think you also need to vary the number of characters in the string.
|
|
||
Comment 3•15 years ago
|
||
We don't trace replace(lambda), so the number of lambda invocations shouldn't need to change with HOTLOOP. I still tried though, no crash.
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 4•15 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 52303:d1d52f7820f2
user: Andrew Drake
date: Wed Jul 21 03:04:39 2010 -0700
summary: [JAEGER] Implement trap part of debug API. r=dvander, b=570650
Resolution: WORKSFORME → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ js::DefaultValue]
|
||
Comment 5•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•