Crash [@ js::Shape::hasSetterValue] NULL pointer dereference with watchpoints, setters

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
8 years ago
3 years ago

People

(Reporter: jandem, Assigned: jorendorff)

Tracking

(4 keywords)

Trunk
All
Mac OS X
crash, regression, reproducible, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(status1.9.2 unaffected)

Details

(Whiteboard: [sg:dos], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
Created attachment 513781 [details]
Test case

Attached testcase crashes in debug and release builds.
(Reporter)

Updated

8 years ago
Summary: NULL-ptr dereference with watchpoints, setters → NULL pointer dereference with watchpoints, setters
(Reporter)

Comment 1

8 years ago
Created attachment 513783 [details]
Stack trace

Looks like some shape pointer is NULL.
(Reporter)

Comment 2

8 years ago
The first bad revision is:
changeset:   62175:589bb166be02
user:        Jason Orendorff <jorendorff@mozilla.com>
date:        Tue Feb 08 16:09:33 2011 -0600
summary:     Bug 627984 - Tighten up assertions in JSObject::methodReadBarrier. r=brendan.
Blocks: 627984
Keywords: regression

Updated

8 years ago
Assignee: general → jorendorff

Updated

8 years ago
Whiteboard: [sg:dos]
Summary: NULL pointer dereference with watchpoints, setters → Crash [@ js::Shape::hasSetterValue] NULL pointer dereference with watchpoints, setters
Version: unspecified → Trunk
Crash Signature: [@ js::Shape::hasSetterValue]

Comment 3

7 years ago
any reason to keep this closed if it is sg:dos?
Group: core-security
status1.9.2: --- → unaffected
WFM as of m-c rev e537a1ba501b.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.