Closed Bug 683966 Opened 13 years ago Closed 13 years ago

Crash with testcase on Windows 7 involving gc

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(2 files)

testcase
1.39 KB, text/plain
Details
patch
818 bytes, patch
jorendorff
: review+
Details | Diff | Splinter Review
Attached file testcase
Attached ~50-line testcase crashes js debug shell on m-c changeset 7d3d1c2c75f8 with -m, -a and -d. Because it's on Windows, I don't yet have a stack. Since this involves gc, I'm locking just-in-case, as per normal. This was found using a triple combination of an existing js test, jsfunfuzz and jandem's method fuzzer.
Attached patch patchSplinter Review
The fix for bug 679461 was disabled when bug 674251 landed. This is a better fix, closer to the problem --- the debugger shouldn't try to recompile scripts during GC.
Attachment #557977 - Flags: review?(jorendorff)
http://hg.mozilla.org/projects/jaegermonkey/rev/aa9f4b139e38
Whiteboard: js-triage-needed → fixed-in-jaegermonkey
Comment on attachment 557977 [details] [diff] [review] patch Sure, ok. The comment might be too confident--are we really sure the script is necessarily being destroyed? Perhaps something else is being GC'd and we are calling JS_ClearTrap from a finalize hook. Skipping recompilation is harmless in any case.
Attachment #557977 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/mozilla-central/rev/aa9f4b139e38
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: