Closed Bug 643242 Opened 15 years ago Closed 15 years ago

TI: Crash [@ js::PutEscapedStringImpl] or [@ js::types::CondenseSweepTypeSet]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 643243

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

15 years ago

{ function newSandbox(n) {} } var o12 = Float32Array.prototype; function f12(o) { eval('o')['__proto_' + '_'] = null; } for (var i = 0; i < 14; i++) { gc() new f12(o12); } crashes js debug shells on JM changeset 5ce2f7a90286 with -m, -a and -n at js::PutEscapedStringImpl and crashes js opt shells at js::types::CondenseSweepTypeSet when passed in as a CLI argument. This was found using a combination of jsfunfuzz and jandem's method fuzzer.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

15 years ago

Status: NEW → RESOLVED

Closed: 15 years ago

Resolution: --- → DUPLICATE

Nobody; OK to take it and work on it

Updated

•

14 years ago

Crash Signature: [@ js::PutEscapedStringImpl] [@ js::types::CondenseSweepTypeSet]

Christian Holler (:decoder)

Comment 2

•

13 years ago

A testcase for this bug was already added in the original bug (bug 643243).

Flags: in-testsuite-

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TI: Crash [@ js::PutEscapedStringImpl] or [@ js::types::CondenseSweepTypeSet]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Comment 2