Closed Bug 584644 Opened 11 years ago Closed 11 years ago

JM: Crash [@ 0xd7c91f6c]

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

x = Math.tan(this)
Function("\
  for each(let a in[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]) {\
    for each(l in[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,x,0,0,0,0,0,0,0,0,x]) {\
      function aaaaa(){}\
      aaaaa()\
    }\
  }\
")()

crashes js debug and opt shell on Mac 32-bit on JM changeset 6347cf00d3ab with -m at a weird memory address near js::mjit::JaegerShot.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xd7c91f6c
0x004c9eeb in ?? ()
(gdb) bt
#0  0x004c9eeb in ?? ()
#1  0x001f642b in js::mjit::JaegerShot (cx=0x50a900) at ../methodjit/MethodJIT.cpp:696
#2  0x000b993b in js::RunScript (cx=0x50a900, script=0x50dbb0, fun=0x0, scopeChain=0x702000) at jsinterp.cpp:466
#3  0x000bae9c in js::Execute (cx=0x50a900, chain=0x702000, script=0x50dbb0, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:954
#4  0x00017d30 in JS_ExecuteScript (cx=0x50a900, obj=0x702000, script=0x50dbb0, rval=0xbffff680) at ../jsapi.cpp:4737
#5  0x0000cc5a in Process (cx=0x50a900, obj=0x702000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#6  0x0000d65f in ProcessArgs (cx=0x50a900, obj=0x702000, argv=0xbffff84c, argc=1) at ../../shell/js.cpp:861
#7  0x0000d778 in shell (cx=0x50a900, argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5010
#8  0x0000d89c in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5106
(gdb) x/i $eip
0x4c9eeb:       movl   $0xffff00ff,-0x2936e1c4(%ebx)
This occurs on Linux 32-bit as well.
OS: Mac OS X → All
Hardware: x86 → All
Crash Signature: [@ 0xd7c91f6c]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug584644-2.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.