Closed
Bug 352624
Opened 18 years ago
Closed 18 years ago
"Assertion failure: *flagp != GCF_FINAL" in js_MarkGCThing involving "let" and "map"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical?] js1.7)
Attachments
(2 files, 1 obsolete file)
1.16 KB,
patch
|
igor
:
review+
mrbkap
:
review+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
2.73 KB,
text/plain
|
Details |
Each of these: js> let (x = [].map(function () {})) { x; } js> let (x = [].map(function () {})) 3 js> (function() { let x = [].map(function () {}); g(x); })() Causes this in a WAY_TOO_MUCH_GC build: Assertion failure: *flagp != GCF_FINAL, at jsgc.c:2222 Marking as security-sensitive because GC scares me.
Reporter | ||
Comment 1•18 years ago
|
||
In a non-debug WAY_TOO_MUCH_GC build (!), I get a crash in MarkGCThingChildren dereferencing 0x00000004.
Severity: normal → critical
Reporter | ||
Comment 2•18 years ago
|
||
This also triggers the assertion: js> for(let x in [1].map(function () { })) { }
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.8?
Assignee | ||
Comment 3•18 years ago
|
||
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #238764 -
Flags: review?(igor.bukanov)
Attachment #238764 -
Flags: approval1.8.1?
Assignee | ||
Updated•18 years ago
|
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
Assignee | ||
Comment 4•18 years ago
|
||
Attachment #238764 -
Attachment is obsolete: true
Attachment #238765 -
Flags: review?(igor.bukanov)
Attachment #238764 -
Flags: review?(igor.bukanov)
Attachment #238764 -
Flags: approval1.8.1?
Assignee | ||
Comment 5•18 years ago
|
||
Comment on attachment 238765 [details] [diff] [review] fix with old, too-late, now-redundant SAVE_SP_AND_PC call removed I checked the other js_GetScopeChain calls, and all are stack-safe. /be
Attachment #238765 -
Flags: review?(mrbkap)
Attachment #238765 -
Flags: approval1.8.1?
Updated•18 years ago
|
Attachment #238765 -
Flags: review?(igor.bukanov) → review+
Assignee | ||
Comment 6•18 years ago
|
||
Fixed on the trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Attachment #238765 -
Flags: review?(mrbkap) → review+
Comment 7•18 years ago
|
||
Comment on attachment 238765 [details] [diff] [review] fix with old, too-late, now-redundant SAVE_SP_AND_PC call removed a=schrep - approved to land on 1.8.1 branch before rc1.
Attachment #238765 -
Flags: approval1.8.1? → approval1.8.1+
Comment 9•18 years ago
|
||
Updated•18 years ago
|
Flags: in-testsuite+
Comment 10•18 years ago
|
||
verified fixed 1.8 1.9 20060919 windows/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Comment 12•18 years ago
|
||
The testcase uses js1.7 features, but the fixed code appears similar (global changes like SAVE_SP_AND_PC in place of SAVE_SP, but otherwise same order). Is this fix wanted on the 1.8.0 branch as well?
Flags: blocking1.8.0.9? → blocking1.8.0.8?
Assignee | ||
Comment 13•18 years ago
|
||
There's no need for the patch in older branches. /be
Updated•18 years ago
|
Flags: blocking1.8.0.8? → blocking1.8.0.8-
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Updated•18 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] js1.7
Comment 14•18 years ago
|
||
already landed, removing 1811 nomination
Group: security
Flags: blocking1.8.1.1?
Comment 15•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_7/block/regress-352624.js,v <-- regress-352624.js
Updated•17 years ago
|
Flags: blocking1.9?
You need to log in
before you can comment on or make changes to this bug.
Description
•