Closed
Bug 695666
Opened 13 years ago
Closed 3 years ago
Aurora: Crash [@ SuppressDeletedPropertyHelper<SingleIdPredicate>]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox9 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: js-triage-needed)
Crash Data
The following test crashes on mozilla-aurora revision 4754469691db (32 bit optimized build, options -m -n): loadFile(); function loadFile(unused) { eval("\ function testUndemoteLateGlobalSlots() {\ for each (aaa in [(null ), '', 0/0, '']) {\ for each(let aaa in [0, 0]) {\ try {\ testUndemoteLateGlobalSlots(aaa);\ } catch (aaa) {}\ }\ }\ delete aaa;\ }\ assertEq(testUndemoteLateGlobalSlots(), 'ok');\ "); } I cannot reproduce this issue on mozilla-central. It would be good if someone could check that the underlying bug is also not present on mozilla-central and if we need this fixed on aurora. The crash seems to be a near null-deref: ==36433== Invalid read of size 1 ==36433== at 0x80E3137: bool SuppressDeletedPropertyHelper<SingleIdPredicate>(JSContext*, JSObject*, SingleIdPredicate) (jsiter.cpp:847) ==36433== by 0x80E3B6E: js_SuppressDeletedProperty(JSContext*, JSObject*, int) (jsiter.cpp:920) ==36433== by 0x80F04C3: js_DeleteProperty(JSContext*, JSObject*, int, JS::Value*, int) (jsobj.cpp:6467) ==36433== by 0x8073E3A: JSObject::deleteProperty(JSContext*, int, JS::Value*, int) (jsobjinlines.h:176) ==36433== by 0x80D3929: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:3166) ==36433== by 0x80E171A: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:814) ==36433== by 0x80FA932: EvalKernel(JSContext*, js::CallArgs const&, EvalType, js::StackFrame*, JSObject&) (jsobj.cpp:1283) ==36433== by 0x80FAD86: js::DirectEval(JSContext*, js::CallArgs const&) (jsobj.cpp:1346) ==36433== by 0x80DA90D: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:4006) ==36433== by 0x80E2378: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:814) ==36433== by 0x80617CD: JS_ExecuteScript (jsapi.cpp:4891) ==36433== by 0x8050AA6: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:483) ==36433== Address 0x1c is not stack'd, malloc'd or (recently) free'd
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Updated•9 years ago
|
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleIdPredicate>] → [@ SuppressDeletedPropertyHelper<SingleIdPredicate>]
[@ SuppressDeletedPropertyHelper<T>]
Comment 1•3 years ago
|
||
Closing this issue as Resolved > Worksforme since no crashes with this Signature were reported in the last 6 months.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•