Closed
Bug 844480
Opened 12 years ago
Closed 12 years ago
OdinMonkey: Crash [@ CheckExpr]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])
Crash Data
The following testcase crashes on odinmonkey revision 1bfa5e6b2087 (run with ):
var asm = (function(global, buffer) {
'use asm';
function _memcpy(i1, i2, i3) {
i1 = i1 | 0;
i2 = i2 | 0;
i3 = i3 | 0;
for (;;)
hits[11]++;
}
return {};
}, buffer);
|
Reporter | |
Comment 1•12 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
CheckExpr (f=..., expr=0x0, use=..., def=<optimized out>, type=<optimized out>) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:3788
3788 if (IsNumericLiteral(expr))
(gdb) bt
#0 CheckExpr (f=..., expr=0x0, use=..., def=<optimized out>, type=<optimized out>) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:3788
#1 0x00000000009883cf in CheckFor (maybeLabels=0x0, forStmt=0xc695e0, f=...) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:3910
#2 CheckStatement (f=..., stmt=0xc695e0, maybeLabels=0x0) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:4208
#3 0x0000000000989abb in ensureUnusedApproximate (n=16384, this=0x7fffffffbcf8) at ../ds/LifoAlloc.h:263
#4 ensureBallast (this=<optimized out>) at ../ion/IonAllocPolicy.h:70
#5 CheckStatement (maybeLabels=0x0, stmt=0xc695e0, f=...) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:4202
#6 CheckStatements (f=..., stmtHead=<optimized out>) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:4183
#7 CheckFunctionBody (m=..., func=...) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:4310
#8 0x000000000098bb5c in CheckFunctionBodies (m=...) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:4337
#9 CheckModule (cx=<optimized out>, ts=..., fn=<optimized out>, module=0x7fffffffc5d0) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:4784
#10 0x000000000098c453 in js::CompileAsmJS (cx=0xc4a210, ts=..., fn=0xc68d60, script=...) at /srv/repos/odinmonkey/js/src/ion/AsmJS.cpp:4815
#11 0x00000000006d5fb1 in EmitFunc (cx=0xc4a210, bce=0x7fffffffcde0, pn=0xc68d60) at /srv/repos/odinmonkey/js/src/frontend/BytecodeEmitter.cpp:4436
#12 0x00000000006d2f06 in js::frontend::EmitTree (cx=0xc4a210, bce=0x7fffffffcde0, pn=0xc68d60) at /srv/repos/odinmonkey/js/src/frontend/BytecodeEmitter.cpp:5504
#13 0x00000000006d379e in EmitTree (pn=0xc68d60, bce=0x7fffffffcde0, cx=0xc4a210) at /srv/repos/odinmonkey/js/src/frontend/BytecodeEmitter.cpp:5490
#14 js::frontend::EmitTree (cx=0xc4a210, bce=0x7fffffffcde0, pn=0xc69910) at /srv/repos/odinmonkey/js/src/frontend/BytecodeEmitter.cpp:5702
#15 0x00000000006db696 in EmitTree (pn=0xc69910, bce=0x7fffffffcde0, cx=0xc4a210) at /srv/repos/odinmonkey/js/src/frontend/BytecodeEmitter.cpp:5490
#16 EmitVariables (cx=0xc4a210, bce=0x7fffffffcde0, pn=<optimized out>, emitOption=InitializeVars, isLet=false) at /srv/repos/odinmonkey/js/src/frontend/BytecodeEmitter.cpp:3195
#17 0x00000000006d3516 in js::frontend::EmitTree (cx=0xc4a210, bce=0x7fffffffcde0, pn=0xc68ce0) at /srv/repos/odinmonkey/js/src/frontend/BytecodeEmitter.cpp:5652
#18 0x00000000006c5199 in js::frontend::CompileScript (cx=0xc4a210, scopeChain=(JSObject * const) 0x7ffff4e29060 [object global] delegate, evalCaller=0x0, options=..., chars=0xc59c80, length=203, source_=0x0,
staticLevel=0, extraSct=0x0) at /srv/repos/odinmonkey/js/src/frontend/BytecodeCompiler.cpp:214
#19 0x0000000000435503 in JS::Compile (cx=0xc4a210, obj=(JSObject * const) 0x7ffff4e29060 [object global] delegate, options=..., chars=<optimized out>, length=<optimized out>)
at /srv/repos/odinmonkey/js/src/jsapi.cpp:5222
#20 0x00000000004358fa in JS::Compile (cx=0xc4a210, obj=(JSObject * const) 0x7ffff4e29060 [object global] delegate, options=..., bytes=<optimized out>, length=203) at /srv/repos/odinmonkey/js/src/jsapi.cpp:5237
#21 0x0000000000443326 in JS::Compile (cx=0xc4a210, obj=(JSObject * const) 0x7ffff4e29060 [object global] delegate, options=..., fp=0xc50b50) at /srv/repos/odinmonkey/js/src/jsapi.cpp:5249
#22 0x0000000000406f61 in Process (cx=0xc4a210, obj_=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>) at /srv/repos/odinmonkey/js/src/shell/js.cpp:464
#23 0x0000000000412e58 in ProcessArgs (op=0x7fffffffdc50, obj_=(JSObject *) 0x7ffff4e29060 [object global] delegate, cx=0xc4a210) at /srv/repos/odinmonkey/js/src/shell/js.cpp:5022
#24 Shell (cx=0xc4a210, op=0x7fffffffdc50, envp=<optimized out>) at /srv/repos/odinmonkey/js/src/shell/js.cpp:5059
#25 0x0000000000413926 in main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffffffde40) at /srv/repos/odinmonkey/js/src/shell/js.cpp:5289
(gdb) x /i $pc
=> 0x97b9de <CheckExpr(FunctionCompiler&, js::frontend::ParseNode*, Use, js::ion::MDefinition**, Type*)+190>: movzwl (%r12),%eax
(gdb) info reg r12 eax
r12 0x0 0
eax 0xcbba20 13351456
|
||
Comment 2•12 years ago
|
||
Oh hai optional for loop condition!
http://hg.mozilla.org/users/lwagner_mozilla.com/odinmonkey/rev/fb599d993eae
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•