Closed Bug 666305 Opened 13 years ago Closed 13 years ago

Crash [@ js_CheckForStringIndex] or [@ js::ArrayBuffer::obj_lookupProperty]

Tracking

()

Status:

RESOLVED FIXED

Tracking Flags:

Tracking

Status

firefox7

---

People

(Reporter: gkw, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-needed)

Attachments

(1 file)

stack 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 11.08 KB, text/plain		Details

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

13 years ago

Attached file stack — Details

o = (new Uint32Array).buffer
o.__proto__ = o
o.__proto__ = o

crashes js debug shell on TM changeset 0428dbdf3d58 with and without the patch in bug 665914, without any CLI arguments at js_CheckForStringIndex and crashes js opt shell at js::ArrayBuffer::obj_lookupProperty

Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)

Comment 1

•

13 years ago

0428dbdf3d58 is referring to some other changeset on TM.

The test case does fail before the patch attached to bug 665355, but raises type-error after that as it should.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 2

•

13 years ago

(In reply to comment #1)
> 0428dbdf3d58 is referring to some other changeset on TM.

I mean, that is the changeset which happened to be TM tip at the time of testing.

Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)

Comment 3

•

13 years ago

can you reproduce this after the set of patches that landed now? (latest is c3ceee49ac37)

Asa Dotzler [:asa]

Comment 4

•

13 years ago

The release team doesn't need to track this. If the JS team thinks it's important, they'll prioritize a fix and can ask for approval if that fix needs to land on branches.

tracking-firefox7: ? → -

David Mandelin [:dmandelin]

Updated

•

13 years ago

Whiteboard: js-triage-needed

Sheila Mooney

Comment 5

•

13 years ago

There are 2 other bugs logged with related signatures; bug 639337 and bug 591513. Did we regress the original crash or will this fix all of them.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 6

•

13 years ago

(In reply to Nikhil Marathe from comment #3)
> can you reproduce this after the set of patches that landed now? (latest is
> c3ceee49ac37)

Nope, can't reproduce this with JM changeset e0b67d8cc908 with patch v1 from bug 672892, this has m-c merge at rev a6c87fd27ba9.

Assuming fixed by patches for bug 665355.

Status: NEW → RESOLVED

Closed: 13 years ago

Resolution: --- → FIXED

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

13 years ago

Flags: in-testsuite?

Christian Holler (:decoder)

Comment 7

•

11 years ago

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Flags: in-testsuite? → in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash [@ js_CheckForStringIndex] or [@ js::ArrayBuffer::obj_lookupProperty]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: js-triage-needed)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Updated

Comment 7

Attachment

General

Description

File Name

Content Type