Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 649689 - TI+JM: crash in mjit generated code
: TI+JM: crash in mjit generated code
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress
  Show dependency treegraph
Reported: 2011-04-13 10:34 PDT by Jan de Mooij [:jandem]
Modified: 2011-04-13 12:43 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (2.40 KB, patch)
2011-04-13 12:19 PDT, Jan de Mooij [:jandem]
no flags Details | Diff | Splinter Review
Patch (2.69 KB, patch)
2011-04-13 12:21 PDT, Jan de Mooij [:jandem]
bhackett1024: review+
Details | Diff | Splinter Review

Description Jan de Mooij [:jandem] 2011-04-13 10:34:24 PDT
function f(x) {
    eval("a = 3");
    x.p = x.p = a;
f({p: 2});
Crashes with -n -m -a at revision 14d8f4d01296.
Comment 1 Jan de Mooij [:jandem] 2011-04-13 12:19:22 PDT
Created attachment 525755 [details] [diff] [review]

FrameState::storeTo was clobbering the address register. I considered adding a class to pin registers but I think it's better to leave it to someone more experienced with FrameState.
Comment 2 Jan de Mooij [:jandem] 2011-04-13 12:21:36 PDT
Created attachment 525759 [details] [diff] [review]

Argh, forgot to hg qref the test.
Comment 3 Brian Hackett (:bhackett) 2011-04-13 12:43:29 PDT

Note You need to log in before you can comment on or make changes to this bug.