Closed Bug 465063 Opened 16 years ago Closed 16 years ago

TM: Crash [@ TraceRecorder::hasMethod]

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 464978

People

(Reporter: gkw, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

Attached file crashlog
y = <x/>;
for (var z = 0; z < 2; ++z) { [] + y; };

crashes opt at a seemingly exploitable address of 0x00000000d8458900, at TraceRecorder::hasMethod.

(I'm not so sure about debug builds, they seem to hang instead.)
Flags: blocking1.9.1?
Confirmed. Excellent test case. Thanks.

David, I think this is the same iloop you were looking at today (inside an imacro).
I think gal is referring to bug 464978.
Depends on: 464978
I have a fix in bug 464978.

/be
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
No longer depends on: 464978
Flags: blocking1.9.1? → in-testsuite?
Whiteboard: [sg:critical?]
with jit on: regress-465063.js:53: TypeError:  is not a function
this does not happen without jit.
Flags: in-testsuite? → in-testsuite+
test case does not crash and no longer shows the TypeError. The TypeError was fixed by changeset: 25273:5191386baa44 user: Jeff Walden <jwalden@mit.edu> date: Fri May 08 13:48:05 2009 -0700 summary: Bug 482266 - E4X and imacros don't mix.
Status: RESOLVED → VERIFIED
Group: core-security
http://hg.mozilla.org/tracemonkey/rev/e84f94994c6a
/cvsroot/mozilla/js/tests/e4x/Regress/regress-465063.js,v  <--  regress-465063.js
initial revision: 1.1
Crash Signature: [@ TraceRecorder::hasMethod]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: