Closed
Bug 646052
Opened 13 years ago
Closed 13 years ago
Crash [@ js::PropertyTable::search(int, bool)]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
DUPLICATE
of bug 635389
Tracking | Status | |
---|---|---|
blocking2.0 | --- | .x+ |
People
(Reporter: gkw, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos])
Crash Data
<script> x = [];x.join = x.toString;while ((7) & x) {} </script> or javascript:x = [];x.join = x.toString;while ((7) & x) {} Boom, Firefox 4 final goes up in flames. This is really bad, < 60 characters to crash. New profile. Signature is #16 on Firefox 4 topcrash list, and rising. bp-1ed98119-4ae0-4713-8614-c1d9c2110329 s-s and setting [sg:critical?] to fear the worst, and blocking2.0? for being a topcrasher. See bug 595975 for a possibly-related topcrash bug. cc'ing marcia, chofmann. js::PropertyTable::search(int, bool) signature, 12k Windows crashes: https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-29%2005%3A00%3A00&signature=js%3A%3APropertyTable%3A%3Asearch%28int%2C%20bool%29&version=Firefox%3A4.0 js::PropertyTable::search Linux/Mac: https://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&date=2011-03-29%2005%3A00%3A00&signature=js%3A%3APropertyTable%3A%3Asearch&version=Firefox%3A4.0
Reporter | ||
Comment 1•13 years ago
|
||
Happens on Linux too. Getting a regression window...
OS: Windows 7 → All
Hardware: x86 → All
Reporter | ||
Comment 2•13 years ago
|
||
Opt shell backtrace: Program received signal SIGSEGV, Segmentation fault. 0x080e82af in js_GetProperty(JSContext*, JSObject*, JSObject*, int, js::Value*) () (gdb) bt #0 0x080e82af in js_GetProperty(JSContext*, JSObject*, JSObject*, int, js::Value*) () #1 0x0806695e in array_toString(JSContext*, unsigned int, js::Value*) () #2 0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) () #3 0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) () #4 0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) () #5 0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) () #6 0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) () #7 0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) () #8 0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) () #9 0x08066b00 in array_toString(JSContext*, unsigned int, js::Value*) () #10 0x080cacf9 in js::Invoke(JSContext*, js::CallArgs const&, unsigned int) () --snip-- May be a recursive stack overflow. This, though, smells immensely like bug 635389.
Comment 3•13 years ago
|
||
Definitely a duplicate.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•13 years ago
|
blocking2.0: ? → .x+
Updated•13 years ago
|
Crash Signature: [@ js::PropertyTable::search(int, bool)]
Reporter | ||
Comment 4•12 years ago
|
||
Scratchpad now shows too much recursion error message instead of crashing. (using scratchpad since the javascript: protocol in the URL bar is disabled) -> VERIFIED.
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: core-security
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dos]
Comment 5•11 years ago
|
||
A testcase for this bug was already added in the original bug (bug 635389).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•