Closed
Bug 643243
Opened 14 years ago
Closed 14 years ago
TI: Crash [@ js::PutEscapedStringImpl] or [@ js::types::CondenseSweepTypeSet]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 643284
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
6.07 KB,
text/plain
|
Details |
{
function newSandbox(n) {}
}
var o12 = Float32Array.prototype;
function f12(o) {
eval('o')['__proto_' + '_'] = null;
}
for (var i = 0; i < 14; i++) {
gc()
new f12(o12);
}
crashes js debug shells on JM changeset 5ce2f7a90286 with -m, -a and -n at js::PutEscapedStringImpl and crashes js opt shells at js::types::CondenseSweepTypeSet when passed in as a CLI argument.
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
|
Reporter | |
Comment 1•14 years ago
|
||
|
||
Comment 3•14 years ago
|
||
Same GC corruption as bug 643284, will push the testcase.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
Crash Signature: [@ js::PutEscapedStringImpl]
[@ js::types::CondenseSweepTypeSet]
|
||
Comment 4•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug643243.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•