Closed Bug 738537 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ js::HeapPtr<js::Shape, unsigned int>::operator js::Shape*] or [@ js::CloseIterator] or [@ js::ion::HandleException]

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 732852

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Attached file Stack
var a = [] Object.defineProperty(a, 0, { get: (function() { for (var v in i) {} a[0] }) }) var i = Iterator({}, true) a[0] crashes js debug shell on IonMonkey changeset 61129d29a377 with -m, -a, --ion and -n at js::HeapPtr<js::Shape, unsigned int>::operator js::Shape* During the course of reduction, an opt crash at js::CloseIterator with js::ion::HandleException on the stack was also seen.
Thanks go out to Jesse and Nicolas for helping to reduce this testcase.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
IonMonkey's iterator handling is broken if an exception is thrown inside an iterator which is what happens here (this function is infinitely recursive so it will hit the stack check guard).
Attachment #608591 - Attachment description: System Diagnostic Report pointing to Firefox → Stack
A testcase for this bug was already added in the original bug (bug 732852).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: