Closed Bug 704136 Opened 13 years ago Closed 13 years ago

[ObjShrink]: Crash [@ js::HeapPtr<JSString, unsigned long>::operator] with gczeal(4)

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Christian Holler (:decoder)

Reporter

Description

•

13 years ago

The following testcase crashes on jaegermonkey branch revision a335853be219 (run with -m -n -a), tested on 64 bit: gczeal(4); jsTestDriverEnd();

Brian Hackett [Laid off!]

Comment 1

•

13 years ago

obj->setPrivate() was being used when setting an object's initial state, which could trigger a write barrier that read the previous uninitialized private value. https://hg.mozilla.org/projects/jaegermonkey/rev/fe22ebe9b8b3

Status: NEW → RESOLVED

Closed: 13 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Reporter

Comment 2

•

12 years ago

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

[ObjShrink]: Crash [@ js::HeapPtr<JSString, unsigned long>::operator] with gczeal(4)

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2