Closed
Bug 592234
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ js::Mark] or "Assertion failure: !(addr & GC_CELL_MASK)," or "Assertion failure: thing,"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
The following testcases, when passed in as a CLI argument to the js shell, show weird output on TM changeset e8ee411dca70 with -j.
Filing together because they were reduced from the same large testcase, s-s because they involve gc..
Reporter | ||
Comment 3•14 years ago
|
||
The testcases have been attached, and are private because they still have a large part of jsfunfuzz in them. They have been a PITA to reduce. :(
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Comment 4•14 years ago
|
||
Probably related to bug 558451.
Regression window:
http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=be9979b4c10b&tochange=f3e58c264932
Blocks: 558451
Comment 5•14 years ago
|
||
Isn't jsfunfuzz public?
http://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/
Comment 6•14 years ago
|
||
Older versions of jsfunfuzz are public, yes.
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Updated•14 years ago
|
blocking2.0: ? → betaN+
Comment 7•14 years ago
|
||
WFM, another bisect candidate. I bet bug 595365 had the fix-patch but out of time to research atm.
/be
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Comment 8•14 years ago
|
||
The first good revision is:
changeset: 51614:e80892986b11
user: Brendan Eich <brendan@mozilla.org>
date: Tue Aug 31 07:33:25 2010 -0700
summary: Bug 592001 - Fix v8-regexp regression in wake of patch for bug 558451 (r=igor, CLOSED TREE).
The testcase is messy, so this may or may not have been the changeset that actually fixed the bug.
Updated•14 years ago
|
Resolution: WORKSFORME → FIXED
Updated•14 years ago
|
Group: core-security
Updated•14 years ago
|
Crash Signature: [@ js::Mark]
You need to log in
before you can comment on or make changes to this bug.
Description
•