Closed Bug 693971 Opened 12 years ago Closed 12 years ago

TI: Crash [@ JSObject::getProto]

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Christian Holler (:decoder)

Reporter

Description

•

12 years ago

The following testcase crashes on jaegermonkey revision 07c668448519 (run with -m -n -a), tested on 64 bit:


function name(v) {}
function testContinue() {
    for (i = 0; i < 20; ++(name)) {
        if ([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])
            continue;
    }
}
assertEq(testContinue(), 19);

Brian Hackett [Laid off!]

Comment 1

•

12 years ago

Ah, noticed this yesterday but didn't fix it.  Array initializers are only inlined when all elements fit in the object's fixed slots, but the test for this did not account for the ObjectElements header added by bug 693221.

https://hg.mozilla.org/projects/jaegermonkey/rev/ae061e27e3df

Brian Hackett [Laid off!]

Updated

•

12 years ago

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Reporter

Comment 2

•

11 years ago

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

TI: Crash [@ JSObject::getProto]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Comment 2