Closed
Bug 925848
Opened 11 years ago
Closed 11 years ago
Crash with SIGTRAP and range analysis
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox26 | --- | unaffected |
firefox27 | --- | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: sunfish)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [qa-])
Attachments
(1 file)
1.74 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 672cd63528d3 (threadsafe build, run with --ion-check-range-analysis --ion-eager): var TIME_1900 = -2208988800000; var array = new Array(); array[array.length] = new Date( TIME_1900 * Math.PI ); array[array.length] = new Date( TIME_1900 * 10 ); var stringarr = new Array(); clone( array, stringarr ); stringarr.sort( stringsort ); function clone( source, target ) { for (i = 0; i < source.length; i++ ) { target[i] = source[i]; } } function stringsort( x, y ) { for ( var i = 0; i < x.toString().length; i++ ) { var d = x.length - y.length; if ( d > 0 ) { } else { if ( d < 0 ) {} } } }
Comment 1•11 years ago
|
||
Dan, do you have an idea on whether this is related to any of the recent range analysis work?
Updated•11 years ago
|
Flags: needinfo?(sunfish)
Assignee | ||
Comment 2•11 years ago
|
||
Yes, I can confirm this is due to my range analysis changes.
Assignee: general → sunfish
Flags: needinfo?(sunfish)
Updated•11 years ago
|
Keywords: regression
Assignee | ||
Comment 3•11 years ago
|
||
Attachment #817492 -
Flags: review?(nicolas.b.pierron)
Updated•11 years ago
|
Attachment #817492 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 4•11 years ago
|
||
Since this was caused by my recent range analysis changes, I just checked the fix in: https://hg.mozilla.org/integration/mozilla-inbound/rev/d0fc1cc4c62b
Comment 5•11 years ago
|
||
fixed in mozilla-central https://hg.mozilla.org/mozilla-central/rev/d0fc1cc4c62b
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox27:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Comment 6•11 years ago
|
||
Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.
status-b2g18:
--- → unaffected
Updated•11 years ago
|
status-firefox26:
--- → unaffected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Updated•10 years ago
|
Group: core-security
status-b2g-v1.2:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•