Closed Bug 759211 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ js::ShapeTable::search]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 759312

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m --ion-eager): try { var actual = ''; function testNaNCanonicalization() { var buf = new ArrayBuffer(128); var u8 = new Uint8Array(buf); for (var i = 0; i < 128; i++) u8[i] = 0xFF; var dblarr = new Float64Array(buf); } for (var i = 0; i < 10; (actual)++) { testNaNCanonicalization(); } } catch(exc1) {}
This only reproduced for me on an opt build and it did not always reproduce consistently (that's why I s-s'ed it). The crash looks like this: ==20428== Invalid read of size 4 ==20428== at 0x8159327: js::ShapeTable::search(int, bool) (jsscope.cpp:158) ==20428== by 0xFEBD127F: ??? ==20428== Address 0x4 is not stack'd, malloc'd or (recently) free'd
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 80a444262772).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
I can reproduce this on tip. Tested to be a dupe of bug 759312.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Group: core-security
A testcase for this bug was already added in the original bug (bug 759312).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.