Closed Bug 655507 Opened 14 years ago Closed 14 years ago

TI: Crash in mjit-generated code with Array access

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

The following testcase crashes on TI revision e09e209d988e (run with -m -n -a), tested on 64 bit: a = new Array; a[2] = "2"; a[1]; ==28767== Invalid read of size 8 ==28767== at 0x41AE761: ??? ==28767== by 0x697C71: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:692) ==28767== by 0x697DB6: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:722) ==28767== by 0x697E92: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:739) ==28767== by 0x4F77AD: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:605) ==28767== by 0x4F8DE3: js::Execute(JSContext*, JSObject&, JSScript*, js::StackFrame*, unsigned int, js::Value*) (jsinterp.cpp:997) ==28767== by 0x4348B6: JS_ExecuteScript (jsapi.cpp:5169) ==28767== by 0x405A2C: Process(JSContext*, JSObject*, char*, int, int) (js.cpp:453) ==28767== by 0x406ACF: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:983) ==28767== by 0x411BCC: Shell(JSContext*, int, char**, char**) (js.cpp:5890) ==28767== by 0x411EB2: main (js.cpp:6019) ==28767== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==28767== ==28767== ==28767== Process terminating with default action of signal 11 (SIGSEGV)
WFM now, fixed I think as part of rev c963b24694cd.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.