Crash [@ small_malloc_from_free_list | szone_malloc_should_clear]

RESOLVED DUPLICATE of bug 571168

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 571168
8 years ago
5 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: [sg:critical?], crash signature)

(Reporter)

Description

8 years ago
x = wrap(Proxy.createFunction)
x.__proto__ = x;
({N: x})()

crashes js debug shell on TM changeset 60af58b42567 at small_malloc_from_free_list and crashes js opt shell at szone_malloc_should_clear
(Reporter)

Updated

8 years ago
blocking2.0: --- → ?
(Reporter)

Comment 1

8 years ago
No -m nor -j options needed.
(Reporter)

Comment 2

8 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   42437:4dd9be00049c
user:        Andreas Gal
date:        Tue May 18 19:21:43 2010 -0700
summary:     Implement ES Harmony Proxies (bug 546590, r=mrbkap).
Blocks: 546590

Updated

8 years ago
Assignee: general → gal

Updated

8 years ago
blocking2.0: ? → betaN+
(Assignee)

Updated

8 years ago
Group: core-security
Whiteboard: [sg:critical?]
(Assignee)

Comment 3

8 years ago
sayrer, can someone else own this?
(Assignee)

Comment 4

8 years ago
Still crashes with trunk.
(Assignee)

Comment 5

8 years ago
Dup of bug 609287. Will keep open and close when the other one is fixed. I can keep owning this until then.
(Assignee)

Comment 6

8 years ago
Confirmed dup.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 571168
Crash Signature: [@ small_malloc_from_free_list | szone_malloc_should_clear]
Group: core-security
A testcase for this bug was already added in the original bug (bug 571168).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.