Closed Bug 592234 Opened 14 years ago Closed 14 years ago

TM: Crash [@ js::Mark] or "Assertion failure: !(addr & GC_CELL_MASK)," or "Assertion failure: thing,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

The following testcases, when passed in as a CLI argument to the js shell, show weird output on TM changeset e8ee411dca70 with -j.

Filing together because they were reduced from the same large testcase, s-s because they involve gc..
The testcases have been attached, and are private because they still have a large part of jsfunfuzz in them. They have been a PITA to reduce. :(
blocking2.0: --- → ?
Older versions of jsfunfuzz are public, yes.
blocking2.0: ? → betaN+
WFM, another bisect candidate. I bet bug 595365 had the fix-patch but out of time to research atm.

/be
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
The first good revision is:
changeset:   51614:e80892986b11
user:        Brendan Eich <brendan@mozilla.org>
date:        Tue Aug 31 07:33:25 2010 -0700
summary:     Bug 592001 - Fix v8-regexp regression in wake of patch for bug 558451 (r=igor, CLOSED TREE).

The testcase is messy, so this may or may not have been the changeset that actually fixed the bug.
Resolution: WORKSFORME → FIXED
Group: core-security
Crash Signature: [@ js::Mark]
You need to log in before you can comment on or make changes to this bug.