Last Comment Bug 666305 - Crash [@ js_CheckForStringIndex] or [@ js::ArrayBuffer::obj_lookupProperty]
: Crash [@ js_CheckForStringIndex] or [@ js::ArrayBuffer::obj_lookupProperty]
Status: RESOLVED FIXED
js-triage-needed
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2011-06-22 10:03 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-12-27 14:32 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments
stack (11.08 KB, text/plain)
2011-06-22 10:03 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2011-06-22 10:03:29 PDT
Created attachment 541088 [details]
stack

o = (new Uint32Array).buffer
o.__proto__ = o
o.__proto__ = o

crashes js debug shell on TM changeset 0428dbdf3d58 with and without the patch in bug 665914, without any CLI arguments at js_CheckForStringIndex and crashes js opt shell at js::ArrayBuffer::obj_lookupProperty
Comment 1 Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?) 2011-06-22 13:39:29 PDT
0428dbdf3d58 is referring to some other changeset on TM.

The test case does fail before the patch attached to bug 665355, but raises type-error after that as it should.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-06-23 08:38:36 PDT
(In reply to comment #1)
> 0428dbdf3d58 is referring to some other changeset on TM.

I mean, that is the changeset which happened to be TM tip at the time of testing.
Comment 3 Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?) 2011-06-30 13:46:34 PDT
can you reproduce this after the set of patches that landed now? (latest is c3ceee49ac37)
Comment 4 Asa Dotzler [:asa] 2011-07-12 14:37:58 PDT
The release team doesn't need to track this. If the JS team thinks it's important, they'll prioritize a fix and can ask for approval if that fix needs to land on branches.
Comment 5 Sheila Mooney 2011-07-12 14:49:19 PDT
There are 2 other bugs logged with related signatures; bug 639337 and bug 591513. Did we regress the original crash or will this fix all of them.
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2011-08-11 10:36:45 PDT
(In reply to Nikhil Marathe from comment #3)
> can you reproduce this after the set of patches that landed now? (latest is
> c3ceee49ac37)

Nope, can't reproduce this with JM changeset e0b67d8cc908 with patch v1 from bug 672892, this has m-c merge at rev a6c87fd27ba9.

Assuming fixed by patches for bug 665355.
Comment 7 Christian Holler (:decoder) 2013-01-19 14:08:27 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.