Closed
Bug 496867
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ js_ConcatStrings]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 496251
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:dupe 496251])
Crash Data
$ cat 2.js
for (x = 0; x < 1;) {
for each(let a in ['', NaN]) {
print((function() {
for (let y = 0; y < 1; ++y) {
'' + a
}
})())
}
}
gdb output:
undefined
undefined
undefined
undefined
undefined
undefined
undefined
[New Thread 0xb7df16d0 (LWP 20202)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7df16d0 (LWP 20202)]
0x0814f497 in js_ConcatStrings (cx=0x88329e8, left=0x8833000, right=0xffffffff) at ../jsstr.cpp:136
136 ../jsstr.cpp: No such file or directory.
in ../jsstr.cpp
(gdb) bt
#0 0x0814f497 in js_ConcatStrings (cx=0x88329e8, left=0x8833000, right=0xffffffff) at ../jsstr.cpp:136
#1 0xb7cc3f00 in ?? ()
#2 0xbfbc4ec8 in ?? ()
#3 0xb7cc3d4c in ?? ()
#4 0xbfbc7548 in ?? ()
#5 0x081a11e9 in js_RecordLoopEdge (cx=0x88329e8, r=0x883c278, inlineCallCount=@0xbfbc7e1c) at ../jstracer.cpp:4127
#6 0x081a140c in js_MonitorLoopEdge (cx=0x88329e8, inlineCallCount=@0xbfbc7e1c) at ../jstracer.cpp:4719
#7 0x080b3973 in js_Interpret (cx=0x88329e8) at ../jsinterp.cpp:3308
#8 0x080dddae in js_Execute (cx=0x88329e8, chain=0x8836000, script=0x883d8b0, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:1622
#9 0x08055728 in JS_ExecuteScript (cx=0x88329e8, obj=0x8836000, script=0x883d8b0, rval=0x0) at ../jsapi.cpp:5036
#10 0x08051775 in Process (cx=0x88329e8, obj=0x8836000, filename=0xbfbc8708 "2.js", forceTTY=0) at ../js.cpp:407
#11 0x0805230b in ProcessArgs (cx=0x88329e8, obj=0x8836000, argv=0xbfbc8138, argc=2) at ../js.cpp:767
#12 0x080526d2 in main (argc=2, argv=0xbfbc8138, envp=0xbfbc8144) at ../js.cpp:4696
(gdb)
The testcase crashes js debug and opt with -j at js_ConcatStrings. Setting security-sensitive because there's a bunch of unknowns in the backtrace.
Flags: blocking1.9.1?
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 495907 :
The first bad revision is:
changeset: 28891:b9e104ec562f
user: David Mandelin
date: Tue Jun 02 11:52:24 2009 -0700
summary: Bug 495907: use more reliable code to get outermost tree script nest level, r=gal
Blocks: 495907
Keywords: regression
|
||
Updated•15 years ago
|
Assignee: general → dmandelin
|
||
Updated•15 years ago
|
Assignee: dmandelin → general
|
|
||
Updated•15 years ago
|
Assignee: general → dmandelin
|
Assignee | |
Comment 2•15 years ago
|
||
I just confirmed this bug exists before the patch for bug 496251 was applied, but not after.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
||
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
||
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
Whiteboard: [sg:dupe 496251]
|
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Updated•13 years ago
|
Crash Signature: [@ js_ConcatStrings]
You need to log in
before you can comment on or make changes to this bug.
Description
•