Closed Bug 465686 Opened 14 years ago Closed 14 years ago

TM: double free and crash [@ tiny_free_list_add_ptr]

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: dvander)

Details

(Keywords: crash, testcase, verified1.9.1, Whiteboard: [sg:critical?][fixed-in-tracemonkey])

Crash Data

Attachments

(2 files)

for each (let b in [eval, eval, 4, 4]) { 
  ++b; 
  for each (b in [(void 0), (void 0), (void 0), 3, (void 0), 3]) { 
    b ^= b; 
    for each (var c in [1/0]) {
    }
  } 
}
Whiteboard: [sg:critical?]
Attached patch proposed fixSplinter Review
Can't trash tree with live recorder.
Assignee: general → danderson
Status: NEW → ASSIGNED
Attachment #349290 - Flags: review?(gal)
Attachment #349290 - Flags: review?(gal) → review+
Pushed fix as changeset http://hg.mozilla.org/tracemonkey/rev/c8d272272215
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Flags: in-litmus-
this is fixed on tracemonkey but not mozilla-central or mozilla-1.9.1
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [sg:critical?] → [sg:critical?][fixed-in-tracemonkey]
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Fixed on central and 1.9.1.

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/3f171689eeb8

bc, what about getting the test on 1.9.1?
Keywords: fixed1.9.1
rob, we don't commit sensitive tests until they are made public. tomcat and i are both running this test privately around the clock on windows, linux and mac for all branches. I'll get caught up on verifications this weekend.
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Group: core-security
Flags: wanted1.9.0.x-
test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge.
Crash Signature: [@ tiny_free_list_add_ptr]
You need to log in before you can comment on or make changes to this bug.