Closed Bug 914141 Opened 10 years ago Closed 10 years ago

Crash [@ js::Shape::isNative] with backtracking register allocation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: decoder, Assigned: sunfish)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
392 bytes, text/plain
Details 
The following testcase crashes on mozilla-central revision c7cc85e13f7a (threadsafe build, run with --fuzzing-safe --ion-regalloc=backtracking):


function my_iterator_next() {}
function testCustomIterator() {
  var o = {
    __iterator__: function () {
      return {
        next: my_iterator_next,
      };
    }
  };
  var a=2.0 | this && this && 'x';
  for (var k = 0; k < 100; k += 10)
    for(var j in o)
      a[k + (j >> 0)] = j*k;
}
testCustomIterator()
Needinfo from Brian because it involves the backtracking register allocator :)
Flags: needinfo?(bhackett1024)
Blocks: 826741
This bug was also fixed by the fix for bug 906858.
Assignee: general → sunfish
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Depends on: 906858
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.