Closed Bug 618024 Opened 14 years ago Closed 14 years ago

JM shell crashes on the attached test case

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jandem, Assigned: dvander)

References

Details

(Whiteboard: [sg:nse])

Attachments

(1 file)

Test case
633 bytes, application/x-javascript
Details
Attached file Test case 
JM-only crash in debug and release builds.

Debug build (x32, OS X) crashes with: Trace/BPT trap
Release build: Segmentation fault
Assignee: general → dvander
Status: NEW → ASSIGNED
(In reply to comment #0)
> x32
Ehm x86 or 32-bit...

I can't get this to crash in the browser; might be shell only.
This sounds like a memory management bug with recompilation.
blocking2.0: --- → final+
First, a little explanation about setDebug: it's a hack. Debug mode requires that no scripts are live (jsd respects this). But that would prevent us from testing debug mode, so we expose the ability to flip it on, in the shell, from within a script.

As long as it's the first line in the file, it'll work. Otherwise, you run the risk of building a call IC, which may become invalid if that call is recompiled.

That's exactly what happened here. The debugger test cases are special and may not survive concatenation with other shell tests.
Status: ASSIGNED → RESOLVED
blocking2.0: final+ → ---
Closed: 14 years ago
Resolution: --- → WONTFIX
OS: Mac OS X → Windows 7
Summary: JM crashes on the attached test case → JM shell crashes on the attached test case
Whiteboard: [sg:nse]
OS: Windows 7 → Mac OS X
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: