Closed
Bug 502449
Opened 16 years ago
Closed 16 years ago
Crash [@ __memcpy]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| status1.9.1 | --- | .2-fixed |
People
(Reporter: gkw, Assigned: mrbkap)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
3.03 KB,
patch
|
igor
:
review+
samuel.sidler+old
:
approval1.9.1.2+
|
Details | Diff | Splinter Review |
(function() {
x = this.watch("x", function() {
function x() {
return * ::*
}
})
})()
crashes js opt and debug shell from TM branch without -j at __memcpy. Haven't yet tested on 1.9.1, and won't have time to autoBisect yet for a couple of days.
===
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 libSystem.B.dylib 0xffff07c2 __memcpy + 34 (cpu_capabilities.h:246)
1 js-opt-tm-intelmac 0x00042137 js_PutCallObject + 327
2 js-opt-tm-intelmac 0x00024170 js_watch_set + 736
3 js-opt-tm-intelmac 0x00068ff3 js_NativeSet + 227
4 js-opt-tm-intelmac 0x00069950 js_SetPropertyHelper + 1616
5 js-opt-tm-intelmac 0x0004a3f5 js_Interpret + 2853
6 js-opt-tm-intelmac 0x000598f9 js_Execute + 409
7 js-opt-tm-intelmac 0x0000e88c JS_ExecuteScript + 60
8 js-opt-tm-intelmac 0x000043e0 Process(JSContext*, JSObject*, char*, int) + 1616
9 js-opt-tm-intelmac 0x00007aaf main + 879
10 js-opt-tm-intelmac 0x000025bb _start + 209
11 js-opt-tm-intelmac 0x000024e9 start + 41
Flags: blocking1.9.2?
|
Assignee | |
Comment 1•16 years ago
|
||
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #386891 -
Flags: review?(igor)
Attachment #386891 -
Flags: review?(brendan)
|
|
Assignee | |
Comment 2•16 years ago
|
||
This is fallout from bug 501270. It did not affect the 1.9.0 version of the patch from that bug because igor's call object optimization didn't land on that branch.
Blocks: CVE-2009-2664
|
||
Updated•16 years ago
|
Attachment #386891 -
Flags: review?(igor) → review+
|
|
||
Comment 5•16 years ago
|
||
Comment on attachment 386891 [details] [diff] [review]
Fix
Gonna go with Igor's r+ here.
/be
Attachment #386891 -
Flags: review?(brendan)
|
|
Assignee | |
Comment 8•16 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
||
Updated•16 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Comment 10•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 11•16 years ago
|
||
Comment on attachment 386891 [details] [diff] [review]
Fix
Needed if we take bug 501270 on the 1.9.1 branch.
Attachment #386891 -
Flags: approval1.9.1.2?
|
|
||
Comment 12•16 years ago
|
||
Comment on attachment 386891 [details] [diff] [review]
Fix
Approved for 1.9.1.2. a=ss for release-drivers
Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.
Attachment #386891 -
Flags: approval1.9.1.2? → approval1.9.1.2+
|
|
Assignee | |
Comment 13•16 years ago
|
||
status1.9.1:
--- → .2-fixed
|
||
Comment 14•16 years ago
|
||
test passes in 1.9.1 shell on mac, but never failed there.
|
|
||
Comment 15•16 years ago
|
||
What is the best/simplest way for QA to verify this on 3.5.2?
|
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite?
|
||
Comment 16•16 years ago
|
||
Mass change: adding fixed1.9.2 keyword
(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
|
|
||
Updated•16 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x-
|
||
Updated•14 years ago
|
Crash Signature: [@ __memcpy]
You need to log in
before you can comment on or make changes to this bug.
Description
•