Closed
Bug 816505
Opened 12 years ago
Closed 12 years ago
Segmentation fault in js::analyze::ScriptAnalysis::analyzeBytecode
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 816368
People
(Reporter: philippovmi, Unassigned)
Details
Attachments
(1 file)
9.95 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20121129 Firefox/20.0
Build ID: 20121129180705
Steps to reproduce:
I've built Firefox from trunk and started it.
Actual results:
It has crushed with segmentation fault after several seconds of work. Here's the top of the stack:
#0 0x00007ffff5600e7e in debugMode (this=0xa00000000b80c41) at /home/maxim/projects/mozilla/js/src/jscompartment.h:462
#1 js::analyze::ScriptAnalysis::analyzeBytecode (this=0x7fffc92f1258, cx=0x7fffc6728480) at /home/maxim/projects/mozilla/js/src/jsanalyze.cpp:142
#2 0x00007ffff52cea95 in JSScript::makeAnalysis (this=0x7fffc675a280, cx=0x7fffc6728480) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:5549
#3 0x00007ffff52e09a7 in ensureRanAnalysis (cx=<optimized out>, this=0x7fffc675a280) at /home/maxim/projects/mozilla/js/src/jsinferinlines.h:1717
#4 AnalyzeNewScriptProperties (cx=<optimized out>, type=0x7fffbe72bdc0, fun=<optimized out>, pbaseobj=..., initializerList=0x7fffffff78e0)
at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:4654
#5 0x00007ffff52e0f98 in CheckNewScriptProperties (cx=0x7fffc6728480, type=..., fun=0x7fffc450c7c0) at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:4964
#6 0x00007ffff52e1853 in JSCompartment::getNewType (this=<optimized out>, cx=<optimized out>, proto_=..., fun_=0x7fffc450c7c0, isDOM=false)
at /home/maxim/projects/mozilla/js/src/jsinfer.cpp:5888
#7 0x00007ffff532063d in js_CreateThisForFunctionWithProto (cx=0x7fffc6728480, callee=..., proto=<optimized out>) at /home/maxim/projects/mozilla/js/src/jsobj.cpp:2359
full stack is in the `ff.stack' attachment. This crush doesn't occur in a safe mode, but even when I disable all plugins, the problem still appears.
Looks like JS::shadow::compartment (notice `this' address) member is not initialized, probably because js::gc::ArenaHeader::init wasn't called, though in other ways ArenaHeader (as computed from js::gc::Cell address) looks valid.
Updated•12 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•