Crash [@ js_HashString] with jitted code calling js_Object_p_hasOwnProperty

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

({crash})

Trunk
x86
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
Created attachment 336755 [details]
stack trace

This looks exploitable, but all I have is a stack trace :(

Comment 1

9 years ago
This looks like an old bug where we re-entered the interpreter. We now properly handle this case.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_HashString]
You need to log in before you can comment on or make changes to this bug.