Closed Bug 653395 Opened 14 years ago Closed 14 years ago

TI: Crash [@ js::types::TypeSet::unknown]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI revision 09cce9915b80 (run with -n -a), tested on 64 bit: try { (function () { __proto__ = Uint32Array() }()) } catch (e) {}(function () { })() eval("\ function testAtomize() {\ x = {};\ for (var i = false ; i < 65536; ++i)\ x[String.fromCharCode(i)] = 1;\ }\ new testAtomize()(testAtomize(), 65536);\ "); Backtrace: ==2309== Invalid read of size 4 ==2309== at 0x41330C: js::types::TypeSet::unknown() (jsinfer.h:302) ==2309== by 0x4159E2: js::types::TypeSet::addType(JSContext*, unsigned long) (jsinferinlines.h:1128) ==2309== by 0x4E2CAB: js::types::TypeCompartment::dynamicPush(JSContext*, JSScript*, unsigned int, unsigned long) (jsinfer.cpp:1886) ==2309== by 0x456A37: JSScript::typeMonitorResult(JSContext*, unsigned char const*, unsigned long) (jsinferinlines.h:633) ==2309== by 0x78CE14: JSScript::typeMonitorOverflow(JSContext*, unsigned char const*) (jsinferinlines.h:648) ==2309== by 0x7768F9: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4177) ==2309== by 0x4F7A04: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:679) ==2309== by 0x4F9061: js::Execute(JSContext*, JSObject&, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:1070) ==2309== by 0x514D80: EvalKernel(JSContext*, js::CallArgs const&, EvalType, JSStackFrame*, JSObject&) (jsobj.cpp:1260) ==2309== by 0x515049: js::DirectEval(JSContext*, js::CallArgs const&) (jsobj.cpp:1323) ==2309== by 0x77A45F: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4764) ==2309== by 0x4F7A04: js::RunScript(JSContext*, JSScript*, JSStackFrame*) (jsinterp.cpp:679) ==2309== Address 0x40 is not stack'd, malloc'd or (recently) free'd ==2309== ==2309== ==2309== Process terminating with default action of signal 11 (SIGSEGV)
Taking...
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Throwing back, not entirely sure how to fix properly.
Assignee: jandemooij → general
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
Status: UNCONFIRMED → NEW
Ever confirmed: true
NULL dereference, ensureVarTypes should be called before calling thisTypes/localTypes/argTypes/slotTypes on a script. The varTypes associated with each script are created on demand. http://hg.mozilla.org/projects/jaegermonkey/rev/16ae7aed77f3
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeSet::unknown]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.