Closed
Bug 728687
Opened 12 years ago
Closed 9 years ago
OOM Crash [@ js::types::TypeObject::addProperty]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: js-triage-needed)
Crash Data
Attachments
(1 file)
1.86 KB,
application/x-compressed-tar
|
Details |
The attached test crashes on mozilla-central revision 78fde7e54d92 (see README for running instructions). Crash trace: ==29250== Invalid read of size 8 ==29250== at 0x465D86: js::types::TypeObject::addProperty(JSContext*, long, js::types::Property**) (jsinfer.cpp:2837) ==29250== by 0x471E03: js::types::TypeObject::getProperty(JSContext*, long, bool) (jsinferinlines.h:1207) ==29250== by 0x467BB6: js::types::TypeSet::HasObjectFlags(JSContext*, js::types::TypeObject*, unsigned int) (jsinfer.cpp:1649) ==29250== by 0x57C233: js::mjit::Compiler::scanInlineCalls(unsigned int, unsigned int) (Compiler.cpp:363) ==29250== by 0x57C387: js::mjit::Compiler::scanInlineCalls(unsigned int, unsigned int) (Compiler.cpp:398) ==29250== by 0x597CEF: js::mjit::Compiler::performCompilation() (Compiler.cpp:539) ==29250== by 0x597E05: js::mjit::Compiler::compile() (Compiler.cpp:159) ==29250== by 0x5986D9: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:996) ==29250== by 0x47CEE2: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1701) ==29250== by 0x572499: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1080) ==29250== by 0x57259F: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1112) ==29250== by 0x481219: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:451) ==29250== Address 0x1 is not stack'd, malloc'd or (recently) free'd
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Reporter | ||
Comment 1•9 years ago
|
||
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•