Closed Bug 678234 Opened 14 years ago Closed 14 years ago

TI: Crash [@ GetValueType]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

stack
3.25 KB, text/plain
Details
Attached file stack
a = {} function f(o) { for (x in o) { print } } for (var i = 0; i < 3; i++) { new f(a) a.__proto__ = null } crashes js opt shell on JM changeset e0b67d8cc908 with -m, -a and -n and patch v1 from bug 672892 at GetValueType. May be similar to bug 678141.
This is a similar issue to bug 678141, but not the same issue. The FrameState treated 'this' values in constructors as dead if 'this' was not explicitly accessed later in the script, and unsynced 'this' values could be be dropped as a result, leading to a garbage value being returned by the function. The fix treats 'this' values as always being live when doing regalloc for constructor frames. http://hg.mozilla.org/projects/jaegermonkey/rev/07361922fd67
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug678234.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: