Closed
Bug 461930
Opened 16 years ago
Closed 16 years ago
Crash [@ nanojit::LirBuffer::validate] with yield, gc
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b2
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(4 keywords)
Crash Data
function gen() { for (let j = 0; j < 4; ++j) { yield 1; yield 2; gc(); } }
for (let i in gen()) { }
Null deref [@ nanojit::LirBuffer::validate]
or
Assertion failed: count == _stats.pages (nanojit/LIR.cpp:159)
jsfunfuzz is hitting this frequently.
|
Assignee | |
Comment 2•16 years ago
|
||
David, any thoughts? I'll gdb today but any look you can have will help, I'm sure. Thanks, /be
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b2
|
|
Assignee | |
Comment 3•16 years ago
|
||
The "spot fix" patch for bug 461932 fixes this bug's testcase too. /be
|
|
Assignee | |
Comment 4•16 years ago
|
||
This WFM now. I think it was fixed by the patch for bug 458288. /be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 5•16 years ago
|
||
test landed http://hg.mozilla.org/mozilla-central/rev/a27cd03a7a00 and cvs
Flags: in-testsuite+
Flags: in-litmus-
|
||
Updated•13 years ago
|
Crash Signature: [@ nanojit::LirBuffer::validate]
You need to log in
before you can comment on or make changes to this bug.
Description
•