Closed Bug 723409 Opened 13 years ago Closed 12 years ago

Crash calling a long function in a loop, with javascript.options.pccounts.content set to true

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox20 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, sec-moderate, testcase, Whiteboard: [sg:moderate][fuzzblocker])

Crash Data

Attachments

(1 file)

With user_pref("javascript.options.pccounts.content", true); this testcase triggers a crash in mjit code.
Windows only?
Debug builds only???
Browser crashes on Nightly13.0a1 ubuntu10.04 as well. bp-3c7191ff-d671-49bb-9ef6-3e1e32120202 http://hg.mozilla.org/mozilla-central/rev/e18c7bc2c28e Mozilla/5.0 (X11; Linux i686; rv:13.0a1) Gecko/20120201 Firefox/13.0a1 ID:20120201031146
Crash Signature: [@ js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool)] [@ js::mjit::JaegerShotAtSafePoint]
OS: Windows 7 → All
Hardware: x86_64 → All
The DOM fuzzer is hitting this a lot, so it might be slowing down fuzzing.
In bug 720956 comment 7 bhackett says > This may be the same as bug 721274, just put a patch there. Just hit mozilla-central today, re-test in tomorrows nightly?
Whiteboard: [sg:moderate] fuzz disruptor
It doesn't crash for me in 20.0 and in 17.0.5esr.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Whiteboard: [sg:moderate] fuzz disruptor → [sg:moderate][fuzzblocker]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: