Bug 23893
| Summary: | Debug-only crash due to stack overflow on Windows when running js1_5/Regress/regress-96526-002.js | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Roben (:aroben) <aroben> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ggaren, sfalken |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Windows XP | ||
Adam Roben (:aroben)
To reproduce:
1. cd JavaScriptCore/tests/mozilla && /path/to/jsc_debug -s -f ./js1_5/shell.js -f ./js1_5/Regress/regress-96526-002.js
You'll get a crash due to stack overflow. The backtrace looks like this:
> jsc_debug.exe!JSC::BytecodeGenerator::leftHandSideNeedsCopy(bool rightHasAssignments=false, bool rightIsPure=true) Line 225 C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fd6d0, bool rightHasAssignments=false, bool rightIsPure=true) Line 231 + 0x10 bytes C++
jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe638) Line 174 + 0x17 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe638) Line 182 C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe638, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++
jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe6e8) Line 174 + 0x17 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe6e8) Line 182 C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe6e8, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++
jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe798) Line 174 + 0x17 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe798) Line 182 C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe798, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++
jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe848) Line 174 + 0x17 bytes C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe848) Line 182 C++
jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe848, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Roben (:aroben)
<rdar://problem/6576556>
Adam Roben (:aroben)
Looks like this crash only happens in Debug builds.
Alice Liu
no crash now. using r41027 debug build.
Alice Liu
Didn't crash for me on XP but got a crash in Vista. Both were TOT debug builds. reopening bug
Adam Roben (:aroben)
I believe this was fixed by Geoff in r41884.