Closed Bug 550743 Opened 10 years ago Closed 10 years ago

JM: Crash [@ JSString::hasFlag] or [@ js_DeflateString]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Crash Data

function g(code) {
  f = Function(code);
  if (code.indexOf() - 1)
  z = 0
  for (a in f()) z
}
g("\
  yield this.__defineGetter__(\"x\",function(){print(z)});\
  let z=''.replace('')\
")
gc()
x


crashes js debug shell at JSString::hasFlag on JM tip without -j or -m, and crashes js opt shell at js_DeflateString at a weird memory address on JM tip without -j or -m.

Tested on Mac 10.6.2 64-bit JM rev 71ed74081c2d, does not seem to occur in 32-bit TM rev c5e80acb1e7d.
Wow, another most excellent find.  The bug is with the contiguous-stack patch and generators not getting marked after being closed.  Fixed in JM:
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/66970a486644
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Duplicate of this bug: 550647
Crash Signature: [@ JSString::hasFlag] [@ js_DeflateString]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/testBug550743.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.