Closed
Bug 1096023
Opened 10 years ago
Closed 10 years ago
Assertion failure: offset < length(), at jsscript.h:1049
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox34 | --- | unaffected |
firefox35 | --- | unaffected |
firefox36 | --- | verified |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.2 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
599 bytes,
text/plain
|
Details | |
8.13 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision d380166816dd (run with --no-threads --fuzzing-safe): enableSPSProfiling(); var T = TypedObject; function check(results, ctor) { for (var i = 0; i < results.length; i++) var S = new T.StructType({f: ctor}); for (var i = 0; i < results.length; i++) { var s = new S({f: results[i][1]}); } } var int8results = [ [22, 22], [-128, 128], [-1, 255], [0x75, 0x7575], [-123, 0x7585] ]; check(int8results, T.int8);
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Marked s-s because the assertion sounds dangerous. This might be sec-moderate if it only affects the profiler.
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ed6401282c18 user: Brian Hackett date: Tue Nov 04 15:19:46 2014 -0700 summary: Bug 1091015 - Inline allocation of Typed Objects in IonMonkey, r=nmatsakis,jandem. This iteration took 588.707 seconds to run.
Updated•10 years ago
|
Blocks: 1091015
status-firefox35:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Flags: needinfo?(nmatsakis) → needinfo?(bhackett1024)
Keywords: regression,
sec-critical
Assignee | ||
Comment 4•10 years ago
|
||
Codegen bug in the baseline cache for class hook calls. This only affects the SPS profiler.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8521833 -
Flags: review?(jdemooij)
Updated•10 years ago
|
Attachment #8521833 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/657e8b81c02d
Comment 6•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/657e8b81c02d
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → fixed
status-firefox34:
--- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 7•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•