Closed
Bug 563127
Opened 15 years ago
Closed 14 years ago
TM: Crash [@ js_GetCurrentBytecodePC] with evalcx
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta2+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos] fixed by 563099)
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
function a() {}
a();
for(var j=0;j<3;++j){ evalcx("lazy");}
|
Reporter | |
Comment 1•15 years ago
|
||
|
|
Reporter | |
Updated•15 years ago
|
OS: Linux → All
Hardware: x86_64 → All
|
||
Comment 2•15 years ago
|
||
(gdb) x/i $eip
0x21c69 <_Z23js_GetCurrentBytecodePCP9JSContext+25>: mov 0x14(%eax),%edx
(gdb) x/1b $eax
0x0: Cannot access memory at address 0x0
This seems to be a null +14 dereference.
Keywords: regression
Whiteboard: [ccbr][sg:dos]
|
||
Comment 3•15 years ago
|
||
I don't think this can happen inside the browser from content, so I will leave this open for now.
|
|
||
Comment 4•15 years ago
|
||
autoBisect shows this is probably related to bug 551680:
The first bad revision is:
changeset: 39494:eba4f78cdca4
user: Igor Bukanov
date: Wed Mar 17 10:29:37 2010 +0300
summary: bug 551680 - replacing JS_(Suspend|Resume)Request with JSAutoSuspendRequest. r=mrbkap
Blocks: 551680
|
|
||
Updated•15 years ago
|
blocking2.0: --- → ?
|
|
||
Comment 5•15 years ago
|
||
This crash is now flooding jsfunfuzz. Urgh.
|
||
Updated•15 years ago
|
blocking2.0: ? → beta1+
|
|
||
Updated•14 years ago
|
blocking2.0: beta1+ → beta2+
|
|
||
Comment 6•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 44269:3aaaa21012c8
user: Jason Orendorff
date: Wed Jun 23 16:35:10 2010 -0500
summary: Bug 563099 - Compartments and wrappers API. r=gal.
Bug 563099 seems to have fixed the assert.
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Depends on: compartments-api
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos] fixed by 563099
|
||
Updated•13 years ago
|
Crash Signature: [@ js_GetCurrentBytecodePC]
|
||
Comment 7•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•