Closed
Bug 755762
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash on Heap through js::PrepareCompartmentForGC (ARM only)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 755759
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
The following testcase crashes on ionmonkey revision 50177d59c0e1 (run with --ion -n -m --ion-eager):
function optionsClear() {
var optionNames = options().split(',');
}
function optionsReset() {
optionsClear();
}
optionsClear();
function jsTestDriverEnd() {
optionsReset();
}
evaluate("function options ( toString ) schedulegc('Order: ' + Uint32Array);");
evaluate("try { jsTestDriverEnd(); } catch(exc1) {}");
evaluate("try { jsTestDriverEnd(); } catch(exc1) {}");
evaluate("try { jsTestDriverEnd(); } catch(exc1) {}");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x40a020e8 in ?? ()
(gdb) bt
#0 0x40a020e8 in ?? ()
Cannot access memory at address 0xdeadbeef
#1 0x000a02fa in js::PrepareCompartmentForGC (comp=0xffffff82) at /home/decoder/ionmonkey/js/src/jsfriendapi.cpp:137
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x40a020e8: adcmi r1, r0, r0, ror #1
(gdb) info reg r1 r0 r0
r1 0xbe8ede28 3197034024
r0 0x1 1
r0 0x1 1
(gdb)
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•