TM: Crash [@ TraceRecorder::hasMethod]

VERIFIED DUPLICATE of bug 464978

Status

()

defect
--
critical
VERIFIED DUPLICATE of bug 464978
11 years ago
8 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
x86
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(2 attachments)

Posted file crashlog
y = <x/>;
for (var z = 0; z < 2; ++z) { [] + y; };

crashes opt at a seemingly exploitable address of 0x00000000d8458900, at TraceRecorder::hasMethod.

(I'm not so sure about debug builds, they seem to hang instead.)
Flags: blocking1.9.1?
Confirmed. Excellent test case. Thanks.

David, I think this is the same iloop you were looking at today (inside an imacro).
I think gal is referring to bug 464978.
Depends on: 464978
I have a fix in bug 464978.

/be
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 464978
No longer depends on: 464978
Flags: blocking1.9.1? → in-testsuite?
Whiteboard: [sg:critical?]
with jit on: regress-465063.js:53: TypeError:  is not a function
this does not happen without jit.
Flags: in-testsuite? → in-testsuite+
test case does not crash and no longer shows the TypeError. The TypeError was fixed by changeset: 25273:5191386baa44 user: Jeff Walden <jwalden@mit.edu> date: Fri May 08 13:48:05 2009 -0700 summary: Bug 482266 - E4X and imacros don't mix.
Status: RESOLVED → VERIFIED
Group: core-security
http://hg.mozilla.org/tracemonkey/rev/e84f94994c6a
/cvsroot/mozilla/js/tests/e4x/Regress/regress-465063.js,v  <--  regress-465063.js
initial revision: 1.1
Crash Signature: [@ TraceRecorder::hasMethod]
You need to log in before you can comment on or make changes to this bug.