Closed Bug 704136 Opened 13 years ago Closed 13 years ago

[ObjShrink]: Crash [@ js::HeapPtr<JSString, unsigned long>::operator] with gczeal(4)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on jaegermonkey branch revision a335853be219 (run with -m -n -a), tested on 64 bit:


gczeal(4);
jsTestDriverEnd();
obj->setPrivate() was being used when setting an object's initial state, which could trigger a write barrier that read the previous uninitialized private value.

https://hg.mozilla.org/projects/jaegermonkey/rev/fe22ebe9b8b3
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.