Closed
Bug 586538
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js::methodjit::JaegerShot]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Function("\
for (var a = 0;;) {\
if (a % 3) {\
return\
}\
function b() {}\
b((function() {})([Infinity]))\
}\
")()
crashes js debug and opt shell on JM changeset f7cf2b7b7961 at js::mjit::JaegerShot
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x004d24ec in ?? ()
(gdb) bt
#0 0x004d24ec in ?? ()
#1 0x001f859f in js::mjit::JaegerShot (cx=0x50aaf0) at ../methodjit/MethodJIT.cpp:698
#2 0x000ba199 in js::RunScript (cx=0x50aaf0, script=0x50cdb0, fun=0x0, scopeChain=0x702000) at jsinterp.cpp:465
#3 0x000bb82b in js::Execute (cx=0x50aaf0, chain=0x702000, script=0x50cdb0, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:947
#4 0x0001897d in JS_ExecuteScript (cx=0x50aaf0, obj=0x702000, script=0x50cdb0, rval=0xbffff680) at ../jsapi.cpp:4758
#5 0x0000cdc7 in Process (cx=0x50aaf0, obj=0x702000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#6 0x0000d7cb in ProcessArgs (cx=0x50aaf0, obj=0x702000, argv=0xbffff84c, argc=1) at ../../shell/js.cpp:861
#7 0x0000d8e4 in shell (cx=0x50aaf0, argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5067
#8 0x0000da08 in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5163
(gdb) x/i $eip
0x4d24ec: cmpl $0x285900,0x4(%edi)
|
||
Comment 1•14 years ago
|
||
Changing to:
Function("\
for (var a = 0;;) {\
print('abcdefghijklmnopqrstuv'); \
if (a) { return; } \
function b(){} \
b((function(){}([Infinity]))) \
}\
")()
Prints:
abcdefghijklmnopqrstuv
abcdefghijklmnopqrstuv
abcdefghijklmnopqrstuv
Segmentation fault
Replacing 'abcdefghijklmnopqrstuv' with 'abcdef' gives:
abcdef
abcdef
abcdef
Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at /home/adrake/src/moo/js/src/jsvalue.h:610
Replacing 'abcdef' with 'daloop' gives:
daloop
daloop
daloop
Assertion failure: non-global object at end of scope chain, at /home/adrake/src/moo/js/src/jsobj.cpp:6105
Aborted
Have not succeeded in triggering other assertions.
|
Reporter | |
Comment 2•14 years ago
|
||
Here's another possibly-related testcase:
Function("\
for (a = 0; a < 3; a++) {\
function z() {\
for (b = 0; b < 1; ++b) {\
if (b == 1) {\
return\
}\
({}[Number[''], Number()])\
}\
}\
z()\
}\
")()
Program received signal SIGSEGV, Segmentation fault.
0xf76a8959 in ?? ()
(gdb) bt
#0 0xf76a8959 in ?? ()
#1 0x0821401a in js::mjit::JaegerShot (cx=0x8346c78) at ../methodjit/MethodJIT.cpp:698
#2 0x080d9cfd in js::RunScript (cx=0x8346c78, script=0x834e6e8, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:465
#3 0x080dab34 in js::Execute (cx=0x8346c78, chain=0xf7502000, script=0x834e6e8, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:947
#4 0x080701b7 in JS_ExecuteScript (cx=0x8346c78, obj=0xf7502000, script=0x834e6e8, rval=0xffffd200) at ../jsapi.cpp:4758
#5 0x0804c34a in Process (cx=0x8346c78, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#6 0x0804ced9 in ProcessArgs (cx=0x8346c78, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:861
#7 0x080557e0 in shell (cx=0x8346c78, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5067
#8 0x080558fc in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5163
(gdb) x/i $eip
=> 0xf76a8959: cmpl $0x82e4960,0x4(%esi)http://hg.mozilla.org/projects/jaegermonkey/rev/cba4b1fb2662
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js::methodjit::JaegerShot]
|
||
Comment 5•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•