Closed
Bug 355512
Opened 19 years ago
Closed 19 years ago
Crash [@ MarkGCThingChildren] involving "arguments" from generator
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical] js1.7 feature)
Crash Data
Attachments
(2 files, 1 obsolete file)
|
967 bytes,
patch
|
igor
:
review+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
|
2.47 KB,
text/plain
|
Details |
This is probably related to bug 355486 in some way.
To reproduce: give this to the js shell as a file or by pasting.
function foopy()
{
var f = function(){ r = arguments; d.d.d; yield 170; }
try { for (var i in f()) { } } catch (iterError) { }
}
typeof uneval;
foopy();
gc();
uneval(r);
gc();
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [sg:critical]
|
Assignee | |
Comment 1•19 years ago
|
||
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
|
|
Assignee | |
Comment 2•19 years ago
|
||
Attachment #241401 -
Attachment is obsolete: true
Attachment #241402 -
Flags: review?(igor.bukanov)
Attachment #241401 -
Flags: review?(igor.bukanov)
|
|
||
Comment 3•19 years ago
|
||
Comment on attachment 241402 [details] [diff] [review]
better fix pointed out by Igor
Marking always is good.
Attachment #241402 -
Flags: review?(igor.bukanov) → review+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #241402 -
Flags: approval1.8.1?
|
|
Assignee | |
Comment 4•19 years ago
|
||
Fixed on trunk, bowdlerized bug number:
Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v <-- jsiter.c
new revision: 3.53; previous revision: 3.52
done
/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•19 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
|
||
Comment 5•19 years ago
|
||
|
|
||
Updated•19 years ago
|
Flags: in-testsuite+
|
|
||
Comment 7•19 years ago
|
||
Comment on attachment 241402 [details] [diff] [review]
better fix pointed out by Igor
Approved for RC3.
Attachment #241402 -
Flags: approval1.8.1? → approval1.8.1+
|
|
Assignee | |
Comment 8•19 years ago
|
||
Fixed on the 1.8 branch (checkin mentions attachment id):
Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v <-- jsiter.c
new revision: 3.17.2.23; previous revision: 3.17.2.22
done
/be
Keywords: fixed1.8.1
|
||
Updated•19 years ago
|
Whiteboard: [sg:critical] → [sg:critical] js1.7 feature
|
|
||
Comment 10•19 years ago
|
||
verified fixed 20061009 1.8 windows/linux/mac* 1.9 windows/linux
Keywords: fixed1.8.1 → verified1.8.1
|
|
||
Comment 11•19 years ago
|
||
clearing nomination flag and security flag for fixed bug.
Group: security
Flags: blocking1.8.1.1?
|
|
||
Comment 12•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_7/extensions/regress-355512.js,v <-- regress-355512.js
|
||
Updated•14 years ago
|
Crash Signature: [@ MarkGCThingChildren]
You need to log in
before you can comment on or make changes to this bug.
Description
•