Closed
Bug 764374
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::Shape::getObjectClass] with gcPreserveCode
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 763989
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])
Crash Data
The following testcase crashes on ionmonkey revision 71b71dcbf9fe (run with --ion -n): gcPreserveCode(); (function () { for (var q = 0; q < 6; +q) { x: (function () { var m = (function (parent) {})() })([0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, 0, 0, 0, Number((1))]) } })()
Reporter | ||
Comment 1•12 years ago
|
||
Crash trace: ==22993== Invalid read of size 8 ==22993== at 0x406350: js::Shape::getObjectClass() const (jsscope.h:605) ==22993== by 0x40771B: js::ObjectImpl::getClass() const (ObjectImpl-inl.h:245) ==22993== by 0x51B415: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:310) ==22993== by 0x45E84F: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:100) ==22993== by 0x51B8B1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:373) ==22993== by 0x8ACB0C: js::ion::InvokeFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:65) ==22993== by 0x40347AF: ??? ==22993== by 0x10403469F: ??? ==22993== by 0x7FEFFE497: ??? ==22993== by 0xF: ??? ==22993== by 0xDE47DF: ??? ==22993== by 0xDE47BF: ??? ==22993== Address 0xdadadadadadadada is not stack'd, malloc'd or (recently) free'd Likely responsible for quite a few signatures I've been picking up recently, marking as fuzzblocker.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 3•11 years ago
|
||
A testcase for this bug was already added in the original bug (bug 763989).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•