Closed
Bug 1057571
Opened 10 years ago
Closed 10 years ago
Assertion failure: obj->denseElementsAreCopyOnWrite(), at jsinfer.cpp:3473
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])
Attachments
(1 file)
2.82 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision cd2acc7ab2f8 (run with --no-threads --fuzzing-safe):
test = (function () {
function f() {
[1,2,3,4,5];
};
return "var obj = { x : 2 };" + f.toSource() + "; f()";
})();
evalWithCache(test, {});
function evalWithCache(code, ctx) {
code = cacheEntry(code);
ctx.compileAndGo = true;
var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } }));
var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, saveBytecode: { value: true } }));
}
Reporter | ||
Comment 1•10 years ago
|
||
I've also seen multiple crashes with evalWithCache, with different signatures. I think we once had a bug open about evalWithCache not being fuzz-safe, but I can't find it. If this issue is shell only, it would be nice if it could be fixed there (or added to the list of unsafe functions, which will prevent it from being tested of course).
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Reporter | ||
Comment 2•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9605a571ca8a
user: Brian Hackett
date: Tue Aug 19 22:25:37 2014 -0800
summary: Bug 934450 - Allow objects to have copy on write elements, r=billm,jandem.
This iteration took 572.411 seconds to run.
Reporter | ||
Comment 3•10 years ago
|
||
Needinfo from Brian based on comment 2.
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 4•10 years ago
|
||
DR doesn't work on copy on write arrays, which is something that can't happen in the browser (since only non-CNG scripts are XDR'ed) but was exposed by this testcase. It would be nice to be able to support this though, as this patch does.
Assignee: nobody → bhackett1024
Attachment #8478023 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Comment 5•10 years ago
|
||
Comment on attachment 8478023 [details] [diff] [review]
patch
Review of attachment 8478023 [details] [diff] [review]:
-----------------------------------------------------------------
Please add the testcase in comment 0 (ideally it should also test correctness somehow).
Attachment #8478023 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 6•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Updated•10 years ago
|
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•