Closed Bug 658287 Opened 14 years ago Closed 14 years ago

TI: Crash [@ js::ValueToNumberSlow]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 658211

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI revision 4dff743ec04d (run with -j -m -n -a), tested on 64 bit: var gTestcases = Array; function TestCase(n, d, e, a) { this.description = d gTestcases[gTc] = this } TestCase.prototype.dump = function () { if (typeof document != "object") + this.description + '\n' }; function reportCompare(expected, actual, description) { new TestCase("unknown-test-name", description, expected, actual) } gTc = 0;; function jsTestDriverEnd() { for (var i = 0; i < gTestcases.length; i++) gTestcases[i].dump() } reportCompare(0, 0, Object); jsTestDriverEnd(); jsTestDriverEnd(); var expect = ''; var status = ''; try { actual = '/(a)\21474836481/.test("aa")' } catch (e) {} reportCompare(expect, actual, status); jsTestDriverEnd() Backtrace: ==22785== Jump to the invalid address stated on the next line ==22785== at 0x65007500720074: ??? ==22785== by 0x505471: js::ValueToNumberSlow(JSContext*, js::Value, double*) (jsnum.cpp:1309) ==22785== by 0x50696B: js::ValueToNumber(JSContext*, js::Value*) (jsnum.h:280) ==22785== by 0x799619: js::mjit::stubs::Pos(js::VMFrame&) (StubCalls.cpp:2581) ==22785== by 0x41B19EC: ??? ==22785== by 0x6914BC: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:882) ==22785== by 0x69162C: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:914) ==22785== by 0x691708: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:931) ==22785== by 0x77E6DA: js::Interpret(JSContext*, js::StackFrame*, unsigned int, js::InterpMode) (jsinterp.cpp:4727) ==22785== by 0x735E8C: js_InternalInterpret (InvokeHelpers.cpp:1636) ==22785== by 0x6911E1: ??? (MethodJIT.cpp:152) ==22785== by 0x6914BC: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:882) ==22785== Address 0x65007500720074 is not stack'd, malloc'd or (recently) free'd ==22785== ==22785== ==22785== Process terminating with default action of signal 11 (SIGSEGV)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ js::ValueToNumberSlow]
A testcase for this bug was already added in the original bug (bug 658211).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.