Closed
Bug 877333
Opened 11 years ago
Closed 11 years ago
Assertion failure: (ptrBits & 0x7) == 0, at ./dist/include/js/Value.h:703 or Crash [@ ToPrimitive] with controllable invalid read involving rest arguments
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 875957
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
803 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision e58336e81395 (run with --ion-eager): var x = []; var n = []; var np = 0xbeef; function mont_(... y) { for (j=1 ; j<y.length; j++) undefined * y[j]; } mont_(x, n, np);
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Crashes near 0xbeef, so marking s-s. djvj mentioned this could be a dup of one of the other bugs that crash similarly, but he wasn't sure so we decided to file and track this as the other bugs get fixed.
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132612:b2216a10f95b user: Shu-yu Guo date: Tue May 21 23:52:45 2013 -0700 summary: Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj) This iteration took 0.949 seconds to run.
Comment 4•11 years ago
|
||
This is probably a dup of 875957. Confirming.
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•