Closed
Bug 1057587
Opened 10 years ago
Closed 10 years ago
Crash [@ JSString::ensureLinear] with Symbol
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla35
| Tracking | Status | |
|---|---|---|
| firefox34 | --- | affected |
People
(Reporter: decoder, Assigned: jorendorff)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(2 files)
|
370 bytes,
text/plain
|
Details | |
|
1.15 KB,
patch
|
evilpie
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cd2acc7ab2f8 (run with --no-threads --fuzzing-safe):
"use strict";
eval('({[Symbol.iterator]:1, [Symbol()]:2})');
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
Needinfo from jorendorff because it involves Symbol :)
Flags: needinfo?(jorendorff)
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•10 years ago
|
status-firefox34:
--- → affected
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7079b7552946 user: Guptha Rajagopal date: Fri Aug 08 09:15:00 2014 -0400 summary: Bug 924688 - Implement ES6 computed property names. r=jorendorff This iteration took 428.368 seconds to run.
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 4•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7bd309e55a3d).
|
|
Reporter | |
Comment 5•10 years ago
|
||
Still reproduces, e.g. with environment [Symbol.iterator] = 1;
|
||
Comment 6•10 years ago
|
||
This is just specific to the environment object. This test case doesn't even include computed property name.
|
Assignee | |
Comment 7•10 years ago
|
||
Any other places where this reproduces? Otherwise it looks like this is fixed...
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
|
|
Assignee | |
Comment 8•10 years ago
|
||
D'oh. Bug 1037723 fixes the getter but not the setter.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
|
Assignee | |
Comment 9•10 years ago
|
||
Assignee: nobody → jorendorff
Attachment #8486862 -
Flags: review?(evilpies)
|
|
||
Comment 10•10 years ago
|
||
Comment on attachment 8486862 [details] [diff] [review] bug-1057587-env_resolve-v1.patch Review of attachment 8486862 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/shell/js.cpp @@ +4957,5 @@ > > + if (JSID_IS_SYMBOL(id)) > + return true; > + RootedString idstring(cx, IdToString(cx, id)); > + if (!idstring) Good catch.
Attachment #8486862 -
Flags: review?(evilpies) → review+
|
|
Assignee | |
Comment 11•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=af77bb098aef
|
||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9f5b055bb012
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in
before you can comment on or make changes to this bug.
Description
•