Closed Bug 640176 Opened 15 years ago Closed 15 years ago

TI+JM: crash [@JSString::isAtomized]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 639882

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

Jan de Mooij [:jandem]

Reporter

Description

•

15 years ago

-- var y = ""; typeof(x) + typeof(eval("x = y")); -- Crashes with -m -n -a 0x00183b9c in JSString::isAtomized (this=0x0) at jsstr.h:212 212 JS_ASSERT_IF(lengthAndFlags & ATOMIZED, isFlat()); (gdb) bt #0 0x00183b9c in JSString::isAtomized (this=0x0) at jsstr.h:212 #1 0x001cb0b0 in js_ConcatStrings (cx=0x70b5e0, left=0x0, right=0x14000e0) at ../jsstr.cpp:248 #2 0x002ada4a in js::mjit::stubs::Add (f=@0xbffff500) at ../methodjit/StubCalls.cpp:1174

Brian Hackett [Laid off!]

Comment 1

•

15 years ago

Speculating this is a dup of bug 639882, but will check again after that one is fixed.

Brian Hackett [Laid off!]

Comment 2

•

15 years ago

Syncing the stack fixed this bug. Testcase added as part of bug 639882.

Status: NEW → RESOLVED

Closed: 15 years ago

Resolution: --- → DUPLICATE

Whiteboard: fixed-in-jaegermonkey

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TI+JM: crash [@JSString::isAtomized]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2