Closed
Bug 557070
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ js_NewObjectWithGivenProto] or [@ malloc] or [@ js_GetCallObject] or [@ js::PropertyTree::getChild]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
for (e in (function x() { [eval()].some(x) } ()));
crashes js debug shell on JM tip with -m at js_NewObjectWithGivenProto (near the top of the stack) with malloc somewhere at the top of the stack (depending whether or not the testcase was passed as a CLI argument) and crashes js opt shell on JM tip with -m at js_GetCallObject near the top of the stack also with malloc or js::PropertyTree::getChild near the top of the stack (depending whether or not the testcase was passed as a CLI argument).
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ js_NewObjectWithGivenProto]
[@ malloc]
[@ js_GetCallObject]
[@ js::PropertyTree::getChild]
|
||
Comment 2•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug557070.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•