Status: New Owner: [email protected] Labels: Type-Bug Priority-Medium New issue 341 by [email protected]: CRASH when running LayoutTests/fast/js/instance-of-immediates.html http://code.google.com/p/v8/issues/detail?id=341
Get the following crash when running the layout test "LayoutTests/fast/js/instance-of-immediates.html". Filing under V8 because I don't think this is binding specific. This is a new upstream layout test (not yet being pulled into chrome). I tried this same test in chrome 1.0.154.65 and it crashed as well, so this isn't a recent regression. The javascript being run is: http://trac.webkit.org/browser/trunk/LayoutTests/fast/js/resources/instance -of-immediates.js?rev=43551 The result from !analyze -v in windbg is: FAULTING_IP: +1a62239 01a62239 8b4bff mov ecx,dword ptr [ebx-1] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 01a62239 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000001 Attempt to read from address 00000001 FAULTING_THREAD: 000052ac DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTR PROCESS_NAME: test_shell.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 00000001 FAILED_INSTRUCTION_ADDRESS: +1a62239 01a62239 8b4bff mov ecx,dword ptr [ebx-1] NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 01a60adf PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTR FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 01a60adf to 01a62239 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0012eb78 01a60adf 01e1c079 00000002 02037329 0x1a62239 0012ec80 0055f0d1 01a74120 02016779 02010d51 0x1a60adf 0012ecbc 0055f1b5 00aedb94 016b6a00 016b6a0c test_shell!v8::internal::Invoke+0x81 [e:\src\chrome1\src\v8\src\execution.cc @ 97] 0012ecdc 00539f6d 0012ed08 016b6a00 016b6a0c test_shell!v8::internal::Execution::Call+0x25 [e:\src\chrome1\src\v8\src\execution.cc @ 122] 0012ed18 0067e2b2 0012ed48 0012eda4 0012ef9c test_shell!v8::Script::Run+0xad [e:\src\chrome1\src\v8\src\api.cc @ 1088] 0012ed38 0067ec00 0012ed7c 016b6a00 00000000 test_shell!WebCore::V8Proxy::RunScript+0xe2 [e:\src\chrome1\src\webkit\port\bindings\v8\v8_proxy.cpp @ 1106] 0012ed74 00698b4e 0012eda4 016b6774 00000000 test_shell!WebCore::V8Proxy::evaluate+0xb0 [e:\src\chrome1\src\webkit\port\bindings\v8\v8_proxy.cpp @ 1060] 0012eda8 0066c86a 0012edc0 0012ef98 00000000 test_shell!WebCore::ScriptController::evaluate+0x5e [e:\src\chrome1\src\webkit\port\bindings\v8\scriptcontroller.cpp @ 233] 0012edc4 00817457 0012ee08 0012ef98 0168c478 test_shell!WebCore::FrameLoader::executeScript+0x4a [e:\src\chrome1\src\third_party\webkit\webcore\loader\frameloader.cpp @ 804] 0012ef78 008185e4 0012eff0 0012ef98 00400000 test_shell!WebCore::HTMLTokenizer::scriptExecution+0xc7 [e:\src\chrome1\src\third_party\webkit\webcore\html\htmltokenizer.cpp @ 600] 0012f024 0071337a 016c6b58 016c6b58 016c6b60 test_shell!WebCore::HTMLTokenizer::notifyFinished+0x204 [e:\src\chrome1\src\third_party\webkit\webcore\html\htmltokenizer.cpp @ 1993] 0012f048 00713479 016a4a18 0012f080 0076032b test_shell!WebCore::CachedScript::checkNotify+0x3a [e:\src\chrome1\src\third_party\webkit\webcore\loader\cachedscript.cpp @ 106] 0012f054 0076032b 016c62d8 00000001 00000000 test_shell!WebCore::CachedScript::data+0x99 [e:\src\chrome1\src\third_party\webkit\webcore\loader\cachedscript.cpp @ 96] 0012f080 00856bbb 016c7370 0169ff20 0082f2d7 test_shell!WebCore::Loader::Host::didFinishLoading+0xab [e:\src\chrome1\src\third_party\webkit\webcore\loader\loader.cpp @ 324] 0012f08c 0082f2d7 00491637 016c76f8 01695de8 test_shell!WebCore::SubresourceLoader::didFinishLoading+0x2b [e:\src\chrome1\src\third_party\webkit\webcore\loader\subresourceloader.cpp @ 183] 0012f090 00491637 016c76f8 01695de8 016a08c8 test_shell!WebCore::ResourceLoader::didFinishLoading+0x7 [e:\src\chrome1\src\third_party\webkit\webcore\loader\resourceloader.cpp @ 417] 0012f0bc 0043a8fc 01695de0 01695de8 016a08c8 test_shell!WebCore::ResourceHandleInternal::OnCompletedRequest+0xf7 [e:\src\chrome1\src\webkit\glue\resource_handle_impl.cc @ 627] 0012f0d0 0043af4b 01695de0 01695de8 0012f590 test_shell!`anonymous namespace'::RequestProxy::NotifyCompletedRequest+0x1c [e:\src\chrome1\src\webkit\tools\test_shell\simple_resource_loader_bridge.c c @ 189] 0012f0e4 0040899e 00000000 0012f590 00000001 test_shell!RunnableMethod<`anonymous namespace'::RequestProxy,void (__thiscall A0xeb14a652::RequestProxy::*)(URLRequestStatus const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),Tuple2<URLRequestStatus,std::basic_string<char,std::char_traits<char>,st d::allocator<char> > > >::Run+0x1b [e:\src\chrome1\src\base\task.h @ 307] 0012f188 0040a11a 01695dd0 016070b0 01607090 test_shell!MessageLoop::RunTask+0x7e [e:\src\chrome1\src\base\message_loop.cc @ 309] 0012f1d8 0041e0fa 00000000 01607090 00000000 test_shell!MessageLoop::DoWork+0x1ea [e:\src\chrome1\src\base\message_loop.cc @ 424] 0012f208 0041df80 0012f590 0012f590 0012f590 test_shell!base::MessagePumpForUI::DoRunLoop+0x5a [e:\src\chrome1\src\base\message_pump_win.cc @ 210] 0012f228 004096d7 0012f590 0160b498 00000000 test_shell!base::MessagePumpWin::Run+0x40 [e:\src\chrome1\src\base\message_pump_win.h @ 78] 0012f2cc 00409b30 e0c3ee4f 00000720 0160b498 test_shell!MessageLoop::RunInternal+0xb7 [e:\src\chrome1\src\base\message_loop.cc @ 197] 0012f300 00409ddd 00000001 0041a200 00000000 test_shell!MessageLoop::RunHandler+0xa0 [e:\src\chrome1\src\base\message_loop.cc @ 181] 0012f31c 0043fff0 00000008 0160b498 00000000 test_shell!MessageLoop::Run+0x3d [e:\src\chrome1\src\base\message_loop.cc @ 155] 0012f3c0 004406f0 0160b430 01602d88 00000000 test_shell!TestShell::WaitTestFinished+0x140 [e:\src\chrome1\src\webkit\tools\test_shell\test_shell_win.cc @ 446] 0012f488 00403e1f 0012f6a4 00000002 00000a28 test_shell!TestShell::RunFileTest+0x240 [e:\src\chrome1\src\webkit\tools\test_shell\test_shell_win.cc @ 274] 0012ff70 0063284f 00000003 016031d0 016032a0 test_shell!main+0x11cf [e:\src\chrome1\src\webkit\tools\test_shell\test_shell_main.cc @ 299] 0012ffc0 7c816fe7 00011460 7c9113e1 7ffdf000 test_shell!__tmainCRTStartup+0x15f [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 327] 0012fff0 00000000 006328a6 00000000 78746341 kernel32!BaseProcessStart+0x23 FOLLOWUP_IP: test_shell!v8::internal::Invoke+81 [e:\src\chrome1\src\v8\src\execution.cc @ 97] 0055f0d1 8b4c242c mov ecx,dword ptr [esp+2Ch] FAULTING_SOURCE_CODE: 93: 94: // Call the function through the right JS entry stub. 95: value = CALL_GENERATED_CODE(entry, func->code()->entry(), *func, 96: *receiver, argc, args); > 97: } 98: 99: #ifdef DEBUG 100: value->Verify(); 101: #endif 102: SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: test_shell!v8::internal::Invoke+81 FOLLOWUP_NAME: MachineOwner MODULE_NAME: test_shell IMAGE_NAME: test_shell.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4a090e51 STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_test_shell.exe!v8::internal::Invoke BUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_test_shell!v8::internal::Invo ke+81 Followup: MachineOwner --------- -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
