Closed Bug 875879 Opened 12 years ago Closed 12 years ago

JavaScript crash m-i

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 875757

People

(Reporter: hub, Unassigned)

Details

When I open http://boingboing.net/2013/05/24/father-white-says-he-was-acc.html I get a crash. Platform: Linux Tree: m-i revision changeset: 132885:a5e238c116d6 Here is the stack trace (gdb) where #0 js::types::IdToTypeId (id=0) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:275 #1 0x00007ffff52ea315 in IdToTypeId (id=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:273 #2 js::types::AddTypePropertyId (cx=0x7fff6be6f1e0, obj=<optimized out>, id=<optimized out>, value=...) at /home/hub/source/mozilla/src/js/src/jsinferinlines.h:614 #3 0x00007ffff54f726f in js::ion::DoTypeUpdateFallback (cx=0x7fff6be6f1e0, frame=<optimized out>, stub=0x7fff99e7eb48, objval=..., value=...) at /home/hub/source/mozilla/src/js/src/ion/BaselineIC.cpp:1395 #4 0x00007ffff7e63971 in ?? () #5 0x00007ffffffe9408 in ?? () #6 0x00007ffffffe93e8 in ?? () #7 0x00007ffffffe94a0 in ?? () #8 0x00007ffff67e7860 in ?? () from /home/hub/source/mozilla/src/obj-x86_64-unknown-linux-gnu/dist/bin/libxul.so #9 0x00007fffd4d24e50 in ?? () #10 0x00007fffd32d7f41 in ?? () #11 0x0000000000000302 in ?? () #12 0x00007ffffffe9458 in ?? () #13 0x00007fff99e7eb48 in ?? () #14 0xfffbffff6f442e20 in ?? () #15 0xfffbffffbfdc8880 in ?? () #16 0x00007ffffffe94a0 in ?? () #17 0x00007fff99e7eb48 in ?? () #18 0x00007fffd3054c86 in ?? () #19 0x0000000000000601 in ?? () #20 0xfffbffffbfdc8880 in ?? () #21 0xfffbffff6f442e20 in ?? () #22 0x00007ffff5505e0c in js::ion::Compile<js::ion::SequentialCompileContext> (cx=0x7fff6cd269a8, script=..., fp=..., osrPc= 0x7fff6f442e20 "\230\231\373l\377\177", constructing=<optimized out>, compileContext=...) at /home/hub/source/mozilla/src/js/src/ion/Ion.cpp:1583 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
CC: kannan & jandem
Probably dupe of bug 875757.
Looks like it. Very similar.
js::types::IdToTypeId is one of bug 857757's signatures.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.