Closed
Bug 728509
Opened 14 years ago
Closed 14 years ago
Crash [@ js::mjit::EnterMethodJIT] with mjitChunkLimit
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox11 | --- | unaffected |
| firefox12 | --- | fixed |
| firefox13 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] js-triage-needed)
Crash Data
Attachments
(1 file)
|
7.16 KB,
text/plain
|
Details |
function g(code) {
try {
f = eval("(function(){" + code + "})")
} catch (r) {}
f()
try {
evalcx("(function(){return" + code + "})()")
} catch (e) {}
}
g("mjitChunkLimit(8)")
g(" function(x,[]){NaN.x::c}()")
crashes js opt 32-bit shell on m-c changeset 78fde7e54d92 with -m, -a and -n at js::mjit::EnterMethodJIT
Assuming related to chunk patch in bug 722598. s-s because crashing on opt in Windows seems scary, together with the fact that I don't seem to see this signature on other platforms.
|
||
Comment 1•14 years ago
|
||
I can't repro this but it sure looks like bug 728342. Can you see if that patch fixes this one?
|
Reporter | |
Comment 2•14 years ago
|
||
Crashes in m-c changeset 39ea8d8f9768 but not in 13b571bde26a. The latter contains the patches from bug 728342.
-> assuming FIXED by bug 728342
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
||
Comment 3•14 years ago
|
||
If that's true then a better candidate for a regressor is bug 706914
status-firefox-esr10:
--- → unaffected
status-firefox11:
--- → unaffected
status-firefox12:
--- → fixed
status-firefox13:
--- → fixed
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Comment 5•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•