Closed
Bug 465063
Opened 16 years ago
Closed 16 years ago
TM: Crash [@ TraceRecorder::hasMethod]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 464978
People
(Reporter: gkw, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
y = <x/>; for (var z = 0; z < 2; ++z) { [] + y; }; crashes opt at a seemingly exploitable address of 0x00000000d8458900, at TraceRecorder::hasMethod. (I'm not so sure about debug builds, they seem to hang instead.)
Flags: blocking1.9.1?
Comment 1•16 years ago
|
||
Confirmed. Excellent test case. Thanks. David, I think this is the same iloop you were looking at today (inside an imacro).
Comment 3•16 years ago
|
||
I have a fix in bug 464978. /be
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•16 years ago
|
Flags: blocking1.9.1? → in-testsuite?
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
Comment 4•15 years ago
|
||
with jit on: regress-465063.js:53: TypeError: is not a function this does not happen without jit.
Updated•15 years ago
|
Flags: in-testsuite? → in-testsuite+
Comment 5•15 years ago
|
||
test case does not crash and no longer shows the TypeError. The TypeError was fixed by changeset: 25273:5191386baa44 user: Jeff Walden <jwalden@mit.edu> date: Fri May 08 13:48:05 2009 -0700 summary: Bug 482266 - E4X and imacros don't mix.
Status: RESOLVED → VERIFIED
Updated•15 years ago
|
Group: core-security
Comment 6•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/e84f94994c6a /cvsroot/mozilla/js/tests/e4x/Regress/regress-465063.js,v <-- regress-465063.js initial revision: 1.1
Updated•13 years ago
|
Crash Signature: [@ TraceRecorder::hasMethod]
You need to log in
before you can comment on or make changes to this bug.
Description
•