Closed
Bug 540348
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ CallPropertyOp] with gc
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 540528
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dupe 540528])
Crash Data
(function() {
for (var [e] = 1 in (eval("for (b = 0; b < 6; ++b) gc()"))) {}
})()
crashes js debug and opt shell with -j on TM tip at CallPropertyOp (at 0xffffffff for the latter)
Turning security-sensitive because this involves gc and crashes at a scary address.
autoBisect shows this is probably related to bug 495331:
The first bad revision is:
changeset: 37046:910ee7db07de
user: David Mandelin
date: Fri Jan 15 11:32:14 2010 -0800
summary: Bug 495331: trace JSOP_LAMBDA for non-heavyweight, non-null closures, r=jorendorff,dvander
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
||
Updated•14 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 540528]
|
||
Comment 2•14 years ago
|
||
Major uptick
|
|
||
Comment 3•14 years ago
|
||
(In reply to comment #2) > Major uptick Oops, that was an incomplete comment that I didn't mean to include at all. Sorry for the bugspam. (Though I have recently faced a crash in [@ CallPropertyOp] repeatedly.)
|
||
Updated•13 years ago
|
Crash Signature: [@ CallPropertyOp]
|
||
Comment 4•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug540348.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•