Closed
Bug 717497
Opened 14 years ago
Closed 13 years ago
Crash [@ Atomize] or [@ js::ToNumberSlow] or [@ js::detail::HashTable] with E4X
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox12 | - | --- |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: js-triage-needed)
Crash Data
Attachments
(1 file)
|
17.14 KB,
text/plain
|
Details |
try {
(function() {
XML.prettyIndent = <x><y/></x>
})()
} catch (e) {}
print(<x><y/></x>)
crashes js opt shell on m-c changeset 7c7d2a8db7ff without any CLI arguments at Atomize with js::ToNumberSlow somewhere on the stack and crashes js debug shell at js::detail::HashTable, this should be a too much recursion crash.
|
Reporter | |
Comment 1•14 years ago
|
||
Tested on 32-bit opt shell on Mac OS X Lion 10.7.2.
autoBisecting now...
|
|
Reporter | |
Comment 2•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 67921:0906d9490eaf
user: Jeff Walden
date: Mon Mar 28 20:01:53 2011 -0700
summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke
Blocks: 645468
|
|
Reporter | |
Updated•14 years ago
|
Crash Signature: [@ Atomize]
[@ js::ToNumberSlow]
[@ js::detail::HashTable]
|
||
Comment 3•14 years ago
|
||
Atomize is currently the #2 top crash in Fx12a1.
tracking-firefox12:
--- → ?
|
|
||
Comment 4•14 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #3)
> Atomize is currently the #2 top crash in Fx12a1.
The regressing changeset for the fuzz bug is pretty old, so I really doubt it's the cause of that topcrash.
The topcrash itself looks significant, but I also see that it was recorded only for builds on Jan 19-21. Do you think it was a temporary regression that got fixed after a couple days?
https://crash-stats.mozilla.com/report/list?version=Firefox%3A12.0a1&query_search=signature&query_type=contains&reason_type=contains&date=2012-01-29&range_value=28&range_unit=days&hang_type=any&process_type=any&signature=Atomize
|
|
||
Comment 5•14 years ago
|
||
> Do you think it was a temporary regression that got fixed after a couple days?
Yes, it looks like it a temporary spike. It's falling and is now at #32 for Fx12.0a1
|
|
Reporter | |
Comment 6•13 years ago
|
||
After bug 779215 was FIXED, this WFM, but this WFM before the bug was FIXED, though adding the options('allow_xml'); line didn't trigger the bug, but the symptoms were largely similar, and e4x is about to be removed.
-> WFM and in-testsuite- because e4x is about to be removed, no point adding the testcase.
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite-
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•