Closed
Bug 621375
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ obj_hasOwnProperty] with gc
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 619004
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical?][hardblocker])
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
x = evalcx('split').hasOwnProperty;
gc()
x()
crashes js debug shell on TM changeset 5641d5c42b7c with -m at obj_hasOwnProperty. I'm sure prior to reduction, the opt shells crashed as well but somehow the opt crash testcase borked out for some reason.
|
Reporter | |
Updated•14 years ago
|
Group: core-security
|
|
Reporter | |
Comment 1•14 years ago
|
||
Seems to be happening since changeset 547af2626088 (July 2010)
blocking2.0: --- → ?
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
Assignee | |
Updated•14 years ago
|
Assignee: general → jwalden+bmo
|
||
Comment 2•14 years ago
|
||
I think I've figured out the root of this problem: A split object has one half freed, so when the object is accessed freed memory is also accessed. A fix could be just to force gc to either collect the whole object or no object at all.
|
|
||
Updated•14 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][hardblocker]
|
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•14 years ago
|
blocking2.0: betaN+ → -
|
||
Updated•13 years ago
|
Crash Signature: [@ obj_hasOwnProperty]
|
||
Comment 6•12 years ago
|
||
A testcase for this bug was already added in the original bug (bug 619004).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•