Closed Bug 914141 Opened 12 years ago Closed 12 years ago

Crash [@ js::Shape::isNative] with backtracking register allocation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: decoder, Assigned: sunfish)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
392 bytes, text/plain
Details
The following testcase crashes on mozilla-central revision c7cc85e13f7a (threadsafe build, run with --fuzzing-safe --ion-regalloc=backtracking): function my_iterator_next() {} function testCustomIterator() { var o = { __iterator__: function () { return { next: my_iterator_next, }; } }; var a=2.0 | this && this && 'x'; for (var k = 0; k < 100; k += 10) for(var j in o) a[k + (j >> 0)] = j*k; } testCustomIterator()
Needinfo from Brian because it involves the backtracking register allocator :)
Flags: needinfo?(bhackett1024)
Blocks: 826741
This bug was also fixed by the fix for bug 906858.
Assignee: general → sunfish
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Depends on: 906858
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: