Closed Bug 648004 Opened 13 years ago Closed 13 years ago

TI+JM: crash [@JSString::isLinear]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(1 file, 1 obsolete file)

Patch
1.68 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
--
var x = eval("gc(); 30");
x.toString();
isNaN(x);
--
Crashes at revision 7928f2dc3d4d with -n -m -a.
Attached patch Patch (obsolete) — Splinter Review 
In ic::CallProp, js_GetClassPrototype could trigger a recompilation and pic->atom became invalid.
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #524211 - Flags: review?(bhackett1024)
Attached patch PatchSplinter Review 

        Attachment #524211 -
        Attachment is obsolete: true

        Attachment #524211 -
        Flags: review?(bhackett1024)

        Attachment #524215 -
        Flags: review?(bhackett1024)

    
    

    
  
Comment on attachment 524215 [details] [diff] [review]
Patch

Erk. Really need to do a thorough review of MonoIC.cpp and PolyIC.cpp one of these days and kill these bugs.

        Attachment #524215 -
        Flags: review?(bhackett1024) → review+

    
    

    
  
http://hg.mozilla.org/projects/jaegermonkey/rev/98d28777528b
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: