Closed
Bug 623474
Opened 14 years ago
Closed 14 years ago
String length PIC crash [@ js::mjit::EnterMethodJIT]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: jruderman, Assigned: evilpie)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [hardblocker][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
|
830 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
./js -m
for (var j=0;j<2;++j) { (function(o){o.length})(String.prototype); }
Crash, null-deref in methodjit generated code.
The first bad revision is:
changeset: feb28ec64b74
user: Tom Schuster (evilpies)
date: Thu Dec 30 13:25:03 2010 -0600
summary: Bug 557353 - JM: PIC for object-wrapped string length. r=dvander
|
Assignee | |
Comment 1•14 years ago
|
||
The fix itself is easy, String.prototype doesn't use inline slots, so we first need to load obj->slots and then slots[0]. But i don't like to make the general case slower, String.prototype should just use inline slots, too.
|
||
Updated•14 years ago
|
blocking2.0: --- → ?
|
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
|
||
Updated•14 years ago
|
Whiteboard: hardblocker
|
Reporter | |
Updated•14 years ago
|
Blocks: SadJägerMonkey
Comment on attachment 501662 [details] [diff] [review] Fix The double load should be fine, thanks for fixing. I'll check this in with the testcase tomorrow. We can optimize it better in a follow-up bug.
Attachment #501662 -
Flags: review+
|
|
||
Comment 4•14 years ago
|
||
It shouldn't hurt to set the assignee since it's already done. :-)
Assignee: general → evilpies
http://hg.mozilla.org/tracemonkey/rev/423d37840edf
Status: NEW → ASSIGNED
Whiteboard: hardblocker → [hardblocker][fixed-in-tracemonkey]
|
||
Comment 6•14 years ago
|
||
What's the followup bug? Best to file and cite in a FIXME: or risk of not filing goes up. rs=me on FIXME comment additions, any time. /be
|
||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/423d37840edf Despite resolution, note brendan's request for a followup bug in comment 6!
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js::mjit::EnterMethodJIT]
|
||
Comment 8•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug623474.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•