Closed Bug 728506 Opened 13 years ago Closed 13 years ago

[IncrementalGC] Crash [@ js::mjit::JITScript::chunkIndex] with verifybarriers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 728609

People

(Reporter: gkw, Assigned: billm)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:nse] js-triage-needed)

Crash Data

Attachments

(1 file)

stack
1.22 KB, text/plain
Details
Attached file stack
function tryItOut(code) { try {} catch (a) {} function a(e) {} n = code b = code sandboxResult(b, "same-compartment"); z = sandboxResult(b, "same-compartment"); } function sandboxResult(code, globalType) { var result try { var sandbox = newGlobal(globalType) evalcx(code, sandbox) if (typeof result != "ob") { +result } } catch (e) {} }(function() {}()) tryItOut("\ verifybarriers();\ function c(){} \ uneval( )\ "); crashes js debug shell on larch changeset 5580e7e94b1a with -m and -a at js::mjit::JITScript::chunkIndex Setting s-s because incremental GC bugs & verifybarriers sound scary.
Pass the testcase in as a CLI argument to reproduce the crash.
Assignee: general → wmccloskey
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
-> sg:nse
Whiteboard: [sg:critical] js-triage-needed → [sg:nse] js-triage-needed
> -> sg:nse (because it's a bug in the verifier, as per bug 729364 comment 1, both this bug and bug 729364 are marked as duplicates of the same bug)
A testcase for this bug was already added in the original bug (bug 728609).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: