Crash [@ memset] through js::SizedTypeRepresentation::initInstance

RESOLVED DUPLICATE of bug 953111

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 953111
4 years ago
a year ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox27 disabled, firefox28 disabled, firefox29 affected, firefox-esr24 disabled, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision b980c2dee2e7 (run with --fuzzing-safe --ion-eager):


var AA = TypedObject.uint8.array(2147483647).array();
var aa = new AA(0);
(Reporter)

Comment 1

4 years ago
Created attachment 8348974 [details]
[crash-signature] Machine-readable crash signature
Looks like a TypedObject issue.
Flags: needinfo?(nmatsakis)
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
status-b2g18: --- → unaffected
status-firefox27: --- → disabled
status-firefox28: --- → disabled
status-firefox29: --- → affected
status-firefox-esr24: --- → disabled
Likely a dup of bug 953111
Flags: needinfo?(nmatsakis)
Yes, duplicate.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 953111

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.