Closed
Bug 653395
Opened 14 years ago
Closed 14 years ago
TI: Crash [@ js::types::TypeSet::unknown]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following testcase crashes on TI revision 09cce9915b80 (run with -n -a),
tested on 64 bit:
try {
(function () {
__proto__ = Uint32Array()
}())
} catch (e) {}(function () {
})()
eval("\
function testAtomize() {\
x = {};\
for (var i = false ; i < 65536; ++i)\
x[String.fromCharCode(i)] = 1;\
}\
new testAtomize()(testAtomize(), 65536);\
");
Backtrace:
==2309== Invalid read of size 4
==2309== at 0x41330C: js::types::TypeSet::unknown() (jsinfer.h:302)
==2309== by 0x4159E2: js::types::TypeSet::addType(JSContext*, unsigned long) (jsinferinlines.h:1128)
==2309== by 0x4E2CAB: js::types::TypeCompartment::dynamicPush(JSContext*, JSScript*, unsigned int, unsigned long) (jsinfer.cpp:1886)
==2309== by 0x456A37: JSScript::typeMonitorResult(JSContext*, unsigned char const*, unsigned long) (jsinferinlines.h:633)
==2309== by 0x78CE14: JSScript::typeMonitorOverflow(JSContext*, unsigned char const*) (jsinferinlines.h:648)
==2309== by 0x7768F9: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4177)
==2309== by 0x4F7A04: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:679)
==2309== by 0x4F9061: js::Execute(JSContext*, JSObject&, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1070)
==2309== by 0x514D80: EvalKernel(JSContext*, js::CallArgs const&, EvalType, JSStackFrame*, JSObject&) (jsobj.cpp:1260)
==2309== by 0x515049: js::DirectEval(JSContext*, js::CallArgs const&) (jsobj.cpp:1323)
==2309== by 0x77A45F: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4764)
==2309== by 0x4F7A04: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:679)
==2309== Address 0x40 is not stack'd, malloc'd or (recently) free'd
==2309==
==2309==
==2309== Process terminating with default action of signal 11 (SIGSEGV)
Comment 2•14 years ago
|
||
Throwing back, not entirely sure how to fix properly.
Assignee: jandemooij → general
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
Updated•14 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 3•14 years ago
|
||
NULL dereference, ensureVarTypes should be called before calling thisTypes/localTypes/argTypes/slotTypes on a script. The varTypes associated with each script are created on demand.
http://hg.mozilla.org/projects/jaegermonkey/rev/16ae7aed77f3
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Crash Signature: [@ js::types::TypeSet::unknown]
Reporter | ||
Comment 4•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•