Closed Bug 728506 Opened 12 years ago Closed 12 years ago

[IncrementalGC] Crash [@ js::mjit::JITScript::chunkIndex] with verifybarriers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 728609

People

(Reporter: gkw, Assigned: billm)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:nse] js-triage-needed)

Crash Data

Attachments

(1 file)

stack
1.22 KB, text/plain
Details
Attached file stack 
function tryItOut(code) {
    try {} catch (a) {}
    function a(e) {}
    n = code
    b = code
    sandboxResult(b, "same-compartment");
    z = sandboxResult(b, "same-compartment");
}
function sandboxResult(code, globalType) {
    var result
    try {
        var sandbox = newGlobal(globalType)
        evalcx(code, sandbox)
        if (typeof result != "ob") {
            +result
        }
    } catch (e) {}
}(function() {}())
tryItOut("\
    verifybarriers();\
    function c(){} \
    uneval(          )\
");


crashes js debug shell on larch changeset 5580e7e94b1a with -m and -a at js::mjit::JITScript::chunkIndex

Setting s-s because incremental GC bugs & verifybarriers sound scary.
Pass the testcase in as a CLI argument to reproduce the crash.
Assignee: general → wmccloskey
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
-> sg:nse
Whiteboard: [sg:critical] js-triage-needed → [sg:nse] js-triage-needed
> -> sg:nse

(because it's a bug in the verifier, as per bug 729364 comment 1, both this bug and bug 729364 are marked as duplicates of the same bug)
A testcase for this bug was already added in the original bug (bug 728609).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: