Closed
Bug 657585
Opened 13 years ago
Closed 13 years ago
Crash [@ js_GetPropertyHelperInline] or [@ js_str_charAt] or [@ js_ValueToString]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla6
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(2 files)
|
4.75 KB,
text/plain
|
Details | |
|
2.26 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
(e = []); (e.toString = "".charAt); (e::E); crashes js debug shell on TM changeset 0cf1acdb20b1 without any CLI parameters at js_GetPropertyHelperInline and crashes js opt shell at js_str_charAt. js_ValueToString is also on both stacks.
|
Reporter | |
Comment 1•13 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 64602:0906d9490eaf user: Jeff Walden date: Mon Mar 28 20:01:53 2011 -0700 summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke
Blocks: 645468
|
Assignee | |
Comment 2•13 years ago
|
||
|
|
||
Updated•13 years ago
|
Attachment #533008 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/8af92dba2480
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla6
|
||
Comment 4•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/8af92dba2480
|
|
||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js_GetPropertyHelperInline]
[@ js_str_charAt]
[@ js_ValueToString]
You need to log in
before you can comment on or make changes to this bug.
Description
•