Closed Bug 816505 Opened 12 years ago Closed 12 years ago

Segmentation fault in js::analyze::ScriptAnalysis::analyzeBytecode

Categories

(Firefox :: Untriaged, defect)

20 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 816368

People

(Reporter: philippovmi, Unassigned)

Details

Attachments

(1 file)

Attached file Full stack
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20121129 Firefox/20.0 Build ID: 20121129180705 Steps to reproduce: I've built Firefox from trunk and started it. Actual results: It has crushed with segmentation fault after several seconds of work. Here's the top of the stack: #0 0x00007ffff5600e7e in debugMode (this=0xa00000000b80c41) at /home/maxim/projects/mozilla/js/src/jscompartment.h:462 #1 js::analyze::ScriptAnalysis::analyzeBytecode (this=0x7fffc92f1258, cx=0x7fffc6728480) at /home/maxim/projects/mozilla/js/src/jsanalyze.cpp:142 #2 0x00007ffff52cea95 in JSScript::makeAnalysis (this=0x7fffc675a280, cx=0x7fffc6728480) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:5549 #3 0x00007ffff52e09a7 in ensureRanAnalysis (cx=<optimized out>, this=0x7fffc675a280) at /home/maxim/projects/mozilla/js/src/jsinferinlines.h:1717 #4 AnalyzeNewScriptProperties (cx=<optimized out>, type=0x7fffbe72bdc0, fun=<optimized out>, pbaseobj=..., initializerList=0x7fffffff78e0) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:4654 #5 0x00007ffff52e0f98 in CheckNewScriptProperties (cx=0x7fffc6728480, type=..., fun=0x7fffc450c7c0) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:4964 #6 0x00007ffff52e1853 in JSCompartment::getNewType (this=<optimized out>, cx=<optimized out>, proto_=..., fun_=0x7fffc450c7c0, isDOM=false) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:5888 #7 0x00007ffff532063d in js_CreateThisForFunctionWithProto (cx=0x7fffc6728480, callee=..., proto=<optimized out>) at /home/maxim/projects/mozilla/js/src/jsobj.cpp:2359 full stack is in the `ff.stack' attachment. This crush doesn't occur in a safe mode, but even when I disable all plugins, the problem still appears. Looks like JS::shadow::compartment (notice `this' address) member is not initialized, probably because js::gc::ArenaHeader::init wasn't called, though in other ways ArenaHeader (as computed from js::gc::Cell address) looks valid.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: