Closed
Bug 879096
Opened 11 years ago
Closed 11 years ago
Crash [@ js::ObjectImpl::getOps] or [@ js::EncapsulatedPtr]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox23 | --- | unaffected |
firefox24 | + | verified |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
15.51 KB,
text/plain
|
Details |
x = [] try { Object.defineProperty(this, "z", { get: function() { x[6] = x; return new Array } }); x = z for (var n = 0; n < 1000; n++) { z[7] = 1 } x() } catch (e) {} crashes js debug shell on m-c changeset 57d30169ddd4 with --baseline-eager at js::EncapsulatedPtr and crashes js opt shell at js::ObjectImpl::getOps The "1000" value is essential to trigger the bug. Locking s-s just-in-case even though this requires --enable-more-deterministic - feel free to open up in case otherwise. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132941:3835cbed5915 user: Nicolas B. Pierron date: Fri May 24 14:58:08 2013 -0700 summary: Bug 774006 - IonMonkey: Implement SetElementIC for integer indexes. r=h4writer
Reporter | ||
Updated•11 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Updated•11 years ago
|
status-firefox23:
--- → unaffected
status-firefox24:
--- → affected
status-firefox-esr17:
--- → affected
Updated•11 years ago
|
Crash Signature: [@ js::ObjectImpl::getOps]
[@ js::EncapsulatedPtr] → [@ js::ObjectImpl::getOps]
[@ js::EncapsulatedPtr]
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 1•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Reporter | ||
Comment 2•11 years ago
|
||
I can still reproduce with m-c rev 9115d8b717e1, on a --enable-more-deterministic shell with --baseline-eager.
Crash Signature: [@ js::ObjectImpl::getOps]
[@ js::EncapsulatedPtr] → [@ js::ObjectImpl::getOps]
[@ js::EncapsulatedPtr]
Reporter | ||
Comment 4•11 years ago
|
||
I have also checked that the patch in bug 881470 comment 5 also fixes this issue.
Flags: needinfo?(nicolas.b.pierron)
Reporter | ||
Updated•11 years ago
|
Updated•11 years ago
|
Reporter | ||
Comment 5•11 years ago
|
||
This is likely fixed by the patch in bug 881470.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
status-b2g18:
--- → unaffected
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•