Closed
Bug 649273
Opened 13 years ago
Closed 13 years ago
TI: Crash [@ JSString::length] // Null pointer dereference
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 649261
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following testcase crashes on TI revision 23a746dac370 (run with -m -n -a),
tested on 64 bit:
function TestCase(n, d, e, a) {
+ c;
}
try {
for (var c in y) {}
} catch(e) {}
try {
Nested_1;
} catch ( e ) {
new TestCase;
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fc766121720 (LWP 28950)]
0x0000000000413874 in JSString::length (this=0x0) at ./jsstr.h:249
249 return d.lengthAndFlags >> LENGTH_SHIFT;
(gdb) bt
#0 0x0000000000413874 in JSString::length (this=0x0) at ./jsstr.h:249
#1 0x00000000005135b9 in StringToNumberType<double> (cx=0x2585db0, str=0x0, result=0x7ffff70465e8) at jsnum.h:653
#2 0x0000000000512c1e in js::ValueToNumberSlow (cx=0x2585db0, v=
{data = {asBits = 18445195961337643008, debugView = {payload47 = 0, tag = JSVAL_TAG_STRING}, s = {payload = {i32 = 0, u32 = 0, why = JS_ARRAY_HOLE, word = 18445195961337643008}}, asDouble = -nan(0xa800000000000), asPtr = 0xfffa800000000000}}, out=0x7ffff70465e8) at jsnum.cpp:1273
#3 0x00000000005141f6 in js::ValueToNumber (cx=0x2585db0, vp=0x7fc764bd0140) at ./jsnum.h:287
#4 0x000000000079ab04 in js::mjit::stubs::Pos (f=@0x7ffff7046630) at ./methodjit/StubCalls.cpp:2640
#5 0x00007fc765f82cfc in ?? ()
#6 0x00007fc765f82080 in ?? ()
#7 0x00000000025ee1c0 in ?? ()
#8 0x0000000000000000 in ?? ()
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
Crash Signature: [@ JSString::length]
|
Reporter | |
Comment 2•11 years ago
|
||
A testcase for this bug was already added in the original bug (bug 649261).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•