Crash [@ js::FunctionToString] with setObjectMetadataCallback

RESOLVED DUPLICATE of bug 893890

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 893890
5 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on mozilla-central revision d7553251cf43 (run with --fuzzing-safe --ion-eager):


function testMap() {
  var q = {};
}
setObjectMetadataCallback(function() { ++testMap; });
__proto__(4);
(Reporter)

Comment 1

5 years ago
Created attachment 769664 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect]

Updated

5 years ago
Crash Signature: [@ js::FunctionToString] → [@ js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool)]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

5 years ago
JSBugMon: Bisection requested, failed due to error (try manually).
(Reporter)

Comment 3

5 years ago
Needinfo from Brian because setObjectMetadataCallback is involved.
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Duplicate of bug: 893890
You need to log in before you can comment on or make changes to this bug.