Closed
Bug 506178
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ js_GetClosureArg]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 506018
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
v = let(f = function (y) {
let(f = function (g) {
for each(let h in g) {
if (y > 4) {
with(1) {}
}
}
}) {
f([0, 0, 0])
}
}) print(f())
crashes TM tip dbg js shell with -j at js_GetClosureArg at null. Doesn't seem to affect 1.9.1 branch.
Flags: blocking1.9.2?
Reporter | ||
Comment 1•15 years ago
|
||
Affects opt js shell too.
autoBisect shows this is probably related to bug 496240 :
The first bad revision is:
changeset: 30380:b75efc9ee5b1
user: David Mandelin
date: Tue Jul 21 16:22:36 2009 -0700
summary: Bug 496240: trace JSOP_NAME for active (on-stack) closures, r=gal
Though it crashes at null - there's two memory address entries on the stack.
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 js-dbg-tm-darwin 0x000e3a30 js_GetClosureArg(JSContext*, JSObject*, unsigned int, unsigned int, unsigned int, double*) + 128
1 ??? 0x00186f2d 0 + 1601325
2 ??? 0xbffff268 0 + 3221221992
3 js-dbg-tm-darwin 0x000f7c1e js_MonitorLoopEdge(JSContext*, unsigned int&) + 1326
4 js-dbg-tm-darwin 0x00055172 js_Interpret + 44610
5 js-dbg-tm-darwin 0x0005a157 js_Execute + 407
6 js-dbg-tm-darwin 0x0000e52c JS_ExecuteScript + 60
7 js-dbg-tm-darwin 0x00003fea Process(JSContext*, JSObject*, char*, int) + 1338
8 js-dbg-tm-darwin 0x000077cf main + 879
9 js-dbg-tm-darwin 0x000022db _start + 209
10 js-dbg-tm-darwin 0x00002209 start + 41
Blocks: 496240
Updated•15 years ago
|
Priority: -- → P1
Comment 3•15 years ago
|
||
Yeah, it's a dup.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•15 years ago
|
Flags: in-testsuite?
Updated•14 years ago
|
Crash Signature: [@ js_GetClosureArg]
You need to log in
before you can comment on or make changes to this bug.
Description
•