Closed Bug 696492 Opened 13 years ago Closed 13 years ago

Crash [@ JSObject::getPrivate]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: js-triage-needed)

Crash Data

Attachments

(1 file)

stack
4.04 KB, text/plain
Details
Attached file stack 
The attached testcase crashes 64-bit js debug shell on Mac 10.6 on m-c changeset 6cd262091470 with -m, -a and -d at JSObject::getPrivate.

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   73034:938c1a177114
user:        Jason Orendorff
date:        Tue Jul 19 11:00:43 2011 -0500
summary:     Bug 648175 - Remove JSOP_FOR*. Second second landing, to coin a phrase. r=dvander.
Crash Signature: [@ JSObject::getPrivate]
Seems to be WFM.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Not needed in test suite for this, the testcase was huge and totally unreduced and contained substantial elements of fuzzer code.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: