Closed
Bug 510434
Opened 15 years ago
Closed 15 years ago
TM: incorrect value when printing "arguments"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
People
(Reporter: jruderman, Assigned: dmandelin)
Details
(Keywords: testcase, verified1.9.2, Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Attachments
(1 file)
844 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
(function(){ var arguments = 3; for (var j=0;j<4;++j) print(arguments); } )()
3
3
3
6.3669234573e-314
(First JIT correctness bug found by jsfunfuzz!)
Assignee | ||
Comment 1•15 years ago
|
||
Updated•15 years ago
|
Attachment #394610 -
Flags: review? → review+
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 2•15 years ago
|
||
Pushed to TM as 750e909e4433.
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Comment 3•15 years ago
|
||
(Why is this "sg:critical?" And was this seen on m-c or only in tracemonkey? Just trying to figure out how to read the recent surge in JS sg:crit(?) count.)
Reporter | ||
Comment 4•15 years ago
|
||
When I see the JS engine treat a non-double as a double, I think it's likely that worse things could happen due to the same bug. See bug 489682, for example.
Comment 5•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 6•15 years ago
|
||
status1.9.2:
--- → beta1-fixed
Flags: wanted1.9.2+
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•