Closed Bug 653789 Opened 13 years ago Closed 13 years ago

Crash [@ js_CheckForStringIndex] or [@ js::DefaultValue]

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla6

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(2 files)

stacks 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 5.94 KB, text/plain		Details
Patch and tests 13 years ago Jeff Walden [:Waldo] 5.37 KB, patch	luke : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

13 years ago

Attached file stacks — Details

__defineGetter__("x", eval);
eval.toString = toLocaleString
eval < x

crashes js debug shell on TM changeset 3dd6ec45084c without -m nor -j at js_CheckForStringIndex and crashes js opt shell at js::DefaultValue

Jeff Walden [:Waldo]

Assignee

Updated

•

13 years ago

Assignee: general → jwalden+bmo

Status: NEW → ASSIGNED

Target Milestone: --- → mozilla6

Jeff Walden [:Waldo]

Assignee

Comment 1

•

13 years ago

Attached patch Patch and tests — Details — Splinter Review

toLocaleString can straightforwardly recur through all-native functions.  Also, it didn't implement the spec algorithm.  Funny, that, how methods not written in the steps of the spec turn out to be buggy.

Attachment #529203 - Flags: review?(luke)

Jeff Walden [:Waldo]

Assignee

Comment 2

•

13 years ago

Oh, a simpler test:

"" + { toString: Object.prototype.toLocaleString };

Blocks: 645468

OS: Linux → All

Hardware: x86 → All

Luke Wagner [:luke]

Comment 3

•

13 years ago

Comment on attachment 529203 [details] [diff] [review]
Patch and tests

Oops, I missed the initial review request.  Nice test.

Attachment #529203 - Flags: review?(luke) → review+

Jeff Walden [:Waldo]

Assignee

Comment 4

•

13 years ago

http://hg.mozilla.org/tracemonkey/rev/897963a18985

I noticed before landing that I had another test which I'd somehow forgotten to add to the patch.  It's basically comment 2, so not too tricky to need a look or anything.

Whiteboard: fixed-in-tracemonkey

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ js_CheckForStringIndex] [@ js::DefaultValue]

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 5

•

13 years ago

This already landed on mozilla-central some time ago.

http://hg.mozilla.org/mozilla-central/rev/897963a18985

Status: ASSIGNED → RESOLVED

Crash Signature: [@ js_CheckForStringIndex] [@ js::DefaultValue] → [@ js_CheckForStringIndex] [@ js::DefaultValue]

Closed: 13 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Comment 6

•

11 years ago

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash [@ js_CheckForStringIndex] or [@ js::DefaultValue]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type