Closed Bug 724798 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ js::ion::IonCommonFrameLayout::returnAddress] or [@ js::ion::IonFrameIterator::operator++]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 724579

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

stack
10.06 KB, text/plain
Details
Attached file stack
a = [] b = this function f(o) { __proto__ = a } for (;;) { try { new {} } catch (e) {} f(b) } crashes js debug shell on IonMonkey changeset f46cfb199e77 with -m, -a, --ion and -n at js::ion::IonCommonFrameLayout::returnAddress and crashes js opt shell at js::ion::IonFrameIterator::operator++
This crash is also a test failure of this test: js/src/tests/js1_2/Array/splice1.js (--ion -n -m)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: