Closed Bug 621375 Opened 13 years ago Closed 13 years ago

JM: Crash [@ obj_hasOwnProperty] with gc

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 619004
Tracking Status
blocking2.0 --- -

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical?][hardblocker])

Crash Data

Attachments

(1 file)

Attached file Console output
x = evalcx('split').hasOwnProperty;
gc()
x()

crashes js debug shell on TM changeset 5641d5c42b7c with -m at obj_hasOwnProperty. I'm sure prior to reduction, the opt shells crashed as well but somehow the opt crash testcase borked out for some reason.
Group: core-security
Seems to be happening since changeset 547af2626088 (July 2010)
blocking2.0: --- → ?
blocking2.0: ? → betaN+
Assignee: general → jwalden+bmo
I think I've figured out the root of this problem: A split object has one half freed, so when the object is accessed freed memory is also accessed. A fix could be just to force gc to either collect the whole object or no object at all.
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][hardblocker]
Blocks: 621419
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
This affects only shell, so not s-s.
Group: core-security
blocking2.0: betaN+ → -
Crash Signature: [@ obj_hasOwnProperty]
A testcase for this bug was already added in the original bug (bug 619004).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.