Closed
Bug 557070
Opened 12 years ago
Closed 12 years ago
JM: Crash [@ js_NewObjectWithGivenProto] or [@ malloc] or [@ js_GetCallObject] or [@ js::PropertyTree::getChild]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
for (e in (function x() { [eval()].some(x) } ()));
crashes js debug shell on JM tip with -m at js_NewObjectWithGivenProto (near the top of the stack) with malloc somewhere at the top of the stack (depending whether or not the testcase was passed as a CLI argument) and crashes js opt shell on JM tip with -m at js_GetCallObject near the top of the stack also with malloc or js::PropertyTree::getChild near the top of the stack (depending whether or not the testcase was passed as a CLI argument).http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/a9f1959f3006
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Crash Signature: [@ js_NewObjectWithGivenProto]
[@ malloc]
[@ js_GetCallObject]
[@ js::PropertyTree::getChild]
|
||
Comment 2•9 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug557070.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•