Closed Bug 676760 Opened 13 years ago Closed 13 years ago

TI: Crash [@ JSString::isLinear()]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 674843

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 674843])

Crash Data

The following testcase crashes on TI revision e1508f49adc4 (run with -j -m -n -a), tested on 64 bit:


function reportCompare(expected, actual, description) {}
var AP = Array.prototype,
    rooter = {};
AP.__defineGetter__(0, function () new this);
function makeUpperCase(v, index, array) {
    try {} catch (e) {}
}
function ArrayCallback(state) {}
ArrayCallback.prototype.makeUpperCase = function (v, index, array) {};
function dumpError(e) e.stack;
var strings = ['hello', , ];
var sparsestrings = new Array;
sparsestrings[2] = 'sparse';
try {
    expect = obj = new ArrayCallback
    actual = strings.map(obj.makeUpperCase, obj).toString
} catch (e) {}
reportCompare(expect, actual, 'Array.map: lowercase with object callback');
try {
    sparsestrings.map(makeUpperCase).toString
} catch (e) {
    dumpError(e)
}
Another manifestation of bug 674843.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 674843]
Group: core-security
You need to log in before you can comment on or make changes to this bug.