Closed Bug 655507 Opened 13 years ago Closed 13 years ago

TI: Crash in mjit-generated code with Array access

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase) 

The following testcase crashes on TI revision e09e209d988e (run with -m -n -a),
tested on 64 bit:

a = new Array;
a[2] = "2";
a[1];

==28767== Invalid read of size 8
==28767==    at 0x41AE761: ???
==28767==    by 0x697C71: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:692)
==28767==    by 0x697DB6: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:722)
==28767==    by 0x697E92: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:739)
==28767==    by 0x4F77AD: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:605)
==28767==    by 0x4F8DE3: js::Execute(JSContext*, JSObject&, JSScript*, js::StackFrame*, unsigned int, js::Value*) (jsinterp.cpp:997)
==28767==    by 0x4348B6: JS_ExecuteScript (jsapi.cpp:5169)
==28767==    by 0x405A2C: Process(JSContext*, JSObject*, char*, int, int) (js.cpp:453)
==28767==    by 0x406ACF: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:983)
==28767==    by 0x411BCC: Shell(JSContext*, int, char**, char**) (js.cpp:5890)
==28767==    by 0x411EB2: main (js.cpp:6019)
==28767==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==28767== 
==28767== 
==28767== Process terminating with default action of signal 11 (SIGSEGV)
WFM now, fixed I think as part of rev c963b24694cd.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.