Closed Bug 724798 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::ion::IonCommonFrameLayout::returnAddress] or [@ js::ion::IonFrameIterator::operator++]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 724579

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

stack
10.06 KB, text/plain
Details
Attached file stack 
a = []
b = this
function f(o) {
    __proto__ = a
}
for (;;) {
    try {
        new {}
    } catch (e) {}
    f(b)
}

crashes js debug shell on IonMonkey changeset f46cfb199e77 with -m, -a, --ion and -n at js::ion::IonCommonFrameLayout::returnAddress and crashes js opt shell at js::ion::IonFrameIterator::operator++
This crash is also a test failure of this test:

js/src/tests/js1_2/Array/splice1.js (--ion -n -m)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: