RESOLVED FIXED 23893
Debug-only crash due to stack overflow on Windows when running js1_5/Regress/regress-96526-002.js 
https://bugs.webkit.org/show_bug.cgi?id=23893
Summary Debug-only crash due to stack overflow on Windows when running js1_5/Regress/...
Adam Roben (:aroben)
Reported 2009-02-11 09:29:51 PST
To reproduce: 1. cd JavaScriptCore/tests/mozilla && /path/to/jsc_debug -s -f ./js1_5/shell.js -f ./js1_5/Regress/regress-96526-002.js You'll get a crash due to stack overflow. The backtrace looks like this: > jsc_debug.exe!JSC::BytecodeGenerator::leftHandSideNeedsCopy(bool rightHasAssignments=false, bool rightIsPure=true) Line 225 C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fd6d0, bool rightHasAssignments=false, bool rightIsPure=true) Line 231 + 0x10 bytes C++ jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe638) Line 174 + 0x17 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe638) Line 182 C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe638, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++ jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe6e8) Line 174 + 0x17 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe6e8) Line 182 C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe6e8, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++ jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe798) Line 174 + 0x17 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe798) Line 182 C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe798, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++ jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000) Line 499 + 0x48 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe848) Line 174 + 0x17 bytes C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe848) Line 182 C++ jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe848, bool rightHasAssignments=false, bool rightIsPure=true) Line 237 + 0xc bytes C++
Attachments
Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2009-02-11 09:30:24 PST
<rdar://problem/6576556>
Adam Roben (:aroben)
Comment 2 2009-02-11 12:13:05 PST
Looks like this crash only happens in Debug builds.
Alice Liu
Comment 3 2009-02-17 15:34:01 PST
no crash now. using r41027 debug build.
Alice Liu
Comment 4 2009-02-17 15:40:13 PST
Didn't crash for me on XP but got a crash in Vista. Both were TOT debug builds. reopening bug
Adam Roben (:aroben)
Comment 5 2009-03-23 07:34:41 PDT
I believe this was fixed by Geoff in r41884.
Note You need to log in before you can comment on or make changes to this bug.