Closed
Bug 647657
Opened 14 years ago
Closed 14 years ago
TI: Crash [@ JSObject::getParent] in testcase involving Function and Array
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Function("var{}=Array()")()
crashes js opt and debug shell on JM changeset a58525f1f4be with -m, -a and -d on Windows 7.
|
Reporter | |
Updated•14 years ago
|
Summary: TI: Crash in testcase involving Function and Array → TI: Crash [@ JSObject::getParent] in testcase involving Function and Array
|
|
Reporter | |
Comment 1•14 years ago
|
||
Top 5 lines of backtrace:
#0 0x0805a314 in JSObject::getParent (this=0x0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-65060-a58525f1f4be/compilePath/jsobj.h:731
#1 0x08161663 in JSObject::getGlobal (this=0x0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-65060-a58525f1f4be/compilePath/jsobj.cpp:6693
#2 0x0815b2ad in js_GetClassObject (cx=0x84e62a0, obj=0x0, key=JSProto_Array, objp=0xffff45c8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-65060-a58525f1f4be/compilePath/jsobj.cpp:4347
#3 0x082d2353 in js::mjit::Compiler::callArrayBuiltin (this=0xffff8e54, argc=0, callingNew=false) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-65060-a58525f1f4be/compilePath/methodjit/Compiler.cpp:3627
#4 0x082d0c1f in js::mjit::Compiler::inlineCallHelper (this=0xffff8e54, callImmArgc=0, callingNew=false)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-65060-a58525f1f4be/compilePath/methodjit/Compiler.cpp:3267
|
|
Reporter | |
Updated•14 years ago
|
OS: Windows 7 → All
Hardware: x86 → All
|
|
Reporter | |
Comment 2•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 65054:42f282c4922c
user: Brian Hackett
date: Sun Apr 03 14:37:50 2011 -0700
summary: [INFER] Don't discard JIT code for the topmost frame while recompiling, bug 647424.
Blocks: 647424
Keywords: regression
|
|
Reporter | |
Comment 3•14 years ago
|
||
Crashes near js_GetClassObject in opt shell.
|
||
Comment 4•14 years ago
|
||
The recent callArrayBuiltin optimization should only be used in compileAndGo scripts, as it is baking in the script's Array.prototype object.
http://hg.mozilla.org/projects/jaegermonkey/rev/dc3bb73615dd
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ JSObject::getParent]
|
||
Comment 5•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug647657.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•