Closed Bug 486812 Opened 16 years ago Closed 16 years ago

TM: Crash [@ js_AddScopeProperty]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 484693

People

(Reporter: gkw, Assigned: graydon)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?])

Crash Data

var a = toString; var b = toSource; for (iters = 0; iters < 5000; ++iters) { c = "" + function(){} for (i = 0; i < c.length; ++i) {} delete toSource; toSource = b; delete toString; toString = a; } crashes debug js shell with -j at 0xcdcdcdcd at js_AddScopeProperty. Security-sensitive because bug 484693 is. Assigning to graydon and nominating blocking1.9.1? as gal requests over IRC. autoBisect shows this is probably related to bug 484693 or http://hg.mozilla.org/tracemonkey/rev/b512be855093 : The first bad revision is: changeset: 26770:b512be855093 user: Graydon Hoare date: Fri Apr 03 16:30:46 2009 -0700 summary: Bug 484693 - Remove uses of alloca, r=gal. ===== Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000cdcdcdcd Crashed Thread: 0 Thread 0 Crashed: 0 js-dbg-tm-intelmac 0x000f10d5 js_AddScopeProperty + 1239 1 js-dbg-tm-intelmac 0x000a9930 js_SetPropertyHelper + 1112 2 js-dbg-tm-intelmac 0x0007ee2c js_Interpret + 91816 3 js-dbg-tm-intelmac 0x00092e65 js_Execute + 807 4 js-dbg-tm-intelmac 0x0001e37c JS_ExecuteScript + 54 5 js-dbg-tm-intelmac 0x000086a5 Process(JSContext*, JSObject*, char*, int) + 467 6 js-dbg-tm-intelmac 0x00009eda ProcessArgs(JSContext*, JSObject*, char**, int) + 2276 7 js-dbg-tm-intelmac 0x0000b369 main + 897 (js.cpp:4737) 8 js-dbg-tm-intelmac 0x0000258b _start + 209 9 js-dbg-tm-intelmac 0x000024b9 start + 41
Flags: blocking1.9.1?
Caused by checkin of patch in bug 484693. Duping. https://bugzilla.mozilla.org/show_bug.cgi?id=484693#c48
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Flags: blocking1.9.1?
Flags: in-testsuite?
Flags: wanted1.9.0.x-
Whiteboard: [sg:critical?]
Group: core-security
Crash Signature: [@ js_AddScopeProperty]
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.