Closed
Bug 593557
Opened 15 years ago
Closed 15 years ago
Crash [@ JSObject::getClass | regexp_construct] with fragile testcase
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:dupe 593611])
Crash Data
function w() {}
w(uneval({u: function () {}}));
(function () {
try {
throw 1;
} catch (e) {}
})()
try {
let x;
w(eval("", RegExp()));
} catch (e) {}
The first bad revision is:
changeset: 52720:66c8ad02543b
user: Luke Wagner <lw@mozilla.com>
date: Mon Aug 16 12:35:04 2010 -0700
summary: Bug 581263 - remove slow natives (r=waldo,mrbkap)
|
||
Comment 1•15 years ago
|
||
I am having trouble reproducing this. I've tried debug and opt, x86 and x64, Linux and OS X (though not every combination of these). I do get a warning:
test.js:10: warning: Support for eval(code, scopeObject) has been removed. Use |with (scopeObject) eval(code);| instead.
|
Reporter | |
Comment 2•15 years ago
|
||
I hit this with debug x64 on Ubuntu Linux.
|
|
||
Comment 3•15 years ago
|
||
Do you suppose you could see if this is fixed by the patch in bug 593611? It seems highly likely that this is caused by the same bug.
|
|
Reporter | |
Comment 4•15 years ago
|
||
Yes, the patch in bug 593611 made this stop crashing.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 5•15 years ago
|
||
Can we turn this testcase into a checked-in regression test?
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Flags: in-testsuite?
Whiteboard: [sg:dupe 593611]
|
|
||
Updated•14 years ago
|
Group: core-security
|
||
Updated•14 years ago
|
Crash Signature: [@ JSObject::getClass | regexp_construct]
You need to log in
before you can comment on or make changes to this bug.
Description
•