Bug 23893 - Debug-only crash due to stack overflow on Windows when running js1_5/Regress/regress-96526-002.js
Summary: Debug-only crash due to stack overflow on Windows when running js1_5/Regress/...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2009-02-11 09:29 PST by Adam Roben (:aroben)
Modified: 2009-03-23 07:34 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Roben (:aroben) 2009-02-11 09:29:51 PST 
To reproduce:

1. cd JavaScriptCore/tests/mozilla && /path/to/jsc_debug  -s  -f ./js1_5/shell.js -f ./js1_5/Regress/regress-96526-002.js

You'll get a crash due to stack overflow. The backtrace looks like this:

>	jsc_debug.exe!JSC::BytecodeGenerator::leftHandSideNeedsCopy(bool rightHasAssignments=false, bool rightIsPure=true)  Line 225	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fd6d0, bool rightHasAssignments=false, bool rightIsPure=true)  Line 231 + 0x10 bytes	C++
 	jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000)  Line 499 + 0x48 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe638)  Line 174 + 0x17 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe638)  Line 182	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe638, bool rightHasAssignments=false, bool rightIsPure=true)  Line 237 + 0xc bytes	C++
 	jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000)  Line 499 + 0x48 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe6e8)  Line 174 + 0x17 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe6e8)  Line 182	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe6e8, bool rightHasAssignments=false, bool rightIsPure=true)  Line 237 + 0xc bytes	C++
 	jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000)  Line 499 + 0x48 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe798)  Line 174 + 0x17 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe798)  Line 182	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe798, bool rightHasAssignments=false, bool rightIsPure=true)  Line 237 + 0xc bytes	C++
 	jsc_debug.exe!JSC::BracketAccessorNode::emitBytecode(JSC::BytecodeGenerator & generator={...}, JSC::RegisterID * dst=0x00000000)  Line 499 + 0x48 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::RegisterID * dst=0x00000000, JSC::Node * n=0x014fe848)  Line 174 + 0x17 bytes	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNode(JSC::Node * n=0x014fe848)  Line 182	C++
 	jsc_debug.exe!JSC::BytecodeGenerator::emitNodeForLeftHandSide(JSC::ExpressionNode * n=0x014fe848, bool rightHasAssignments=false, bool rightIsPure=true)  Line 237 + 0xc bytes	C++
Comment 1 Adam Roben (:aroben) 2009-02-11 09:30:24 PST 
<rdar://problem/6576556>
Comment 2 Adam Roben (:aroben) 2009-02-11 12:13:05 PST 
Looks like this crash only happens in Debug builds.
Comment 3 Alice Liu 2009-02-17 15:34:01 PST 
no crash now.  using r41027 debug build.
Comment 4 Alice Liu 2009-02-17 15:40:13 PST 
Didn't crash for me on XP but got a crash in Vista.  Both were TOT debug builds.  reopening bug
Comment 5 Adam Roben (:aroben) 2009-03-23 07:34:41 PDT 
I believe this was fixed by Geoff in r41884.