Closed
Bug 583402
Opened 14 years ago
Closed 14 years ago
JM: crashtest crash on dom/base/crashtests/499006-1.html
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: dmandelin, Assigned: dmandelin)
References
Details
No description provided.
Assignee | ||
Updated•14 years ago
|
Blocks: JaegerBrowser
Summary: TM: → JM: crashtest crash on dom/base/crashtests/499006-1.html
Assignee | ||
Comment 1•14 years ago
|
||
There was a loop in js_ClearScope that uses unsigned in a bad way. http://hg.mozilla.org/projects/jaegermonkey/rev/fbbb0c6655c9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•14 years ago
|
Group: core-security
Comment 2•14 years ago
|
||
What was n, and what was i's initial value? /be
Assignee | ||
Comment 3•14 years ago
|
||
I don't remember about i, but n was 0.
Comment 4•14 years ago
|
||
Freakshow -- n shouldn't be 0 (yet; bug 558451 will change things; maybe JM has already, but I would like to know how/why). We use unsigned types even with count down loops so long as boundary conditions allow. An assertion was due here, though, that n != 0. Sorry about that! /be
Assignee | ||
Comment 5•14 years ago
|
||
(In reply to comment #4) > Freakshow -- n shouldn't be 0 (yet; bug 558451 will change things; maybe JM has > already, but I would like to know how/why). We are currently in sync with a version of TM after parent was made into a member but before that patch was backed out. > We use unsigned types even with count down loops so long as boundary conditions > allow. An assertion was due here, though, that n != 0. Sorry about that! The bug probably got caught more easily this way, since we are heavily focused on crashes right now in JM.
Comment 6•14 years ago
|
||
This raises a good point: the patch to make parent a typed member not an fslot should have assertions added to it, probably. Inspection of uint32 type usage for sure. /be
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•