Note: There are a few cases of duplicates in user autocompletion which are being worked on.

TM: Crash [@ js::Mark] or "Assertion failure: !(addr & GC_CELL_MASK)," or "Assertion failure: thing,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 betaN+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(crash signature)

(Reporter)

Description

7 years ago
The following testcases, when passed in as a CLI argument to the js shell, show weird output on TM changeset e8ee411dca70 with -j.

Filing together because they were reduced from the same large testcase, s-s because they involve gc..
(Reporter)

Comment 3

7 years ago
The testcases have been attached, and are private because they still have a large part of jsfunfuzz in them. They have been a PITA to reduce. :(
(Reporter)

Updated

7 years ago
blocking2.0: --- → ?
(Reporter)

Comment 4

7 years ago
Probably related to bug 558451.

Regression window:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=be9979b4c10b&tochange=f3e58c264932
Blocks: 558451
Isn't jsfunfuzz public?
http://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/

Comment 6

7 years ago
Older versions of jsfunfuzz are public, yes.
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected

Updated

7 years ago
blocking2.0: ? → betaN+
WFM, another bisect candidate. I bet bug 595365 had the fix-patch but out of time to research atm.

/be
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME

Comment 8

7 years ago
The first good revision is:
changeset:   51614:e80892986b11
user:        Brendan Eich <brendan@mozilla.org>
date:        Tue Aug 31 07:33:25 2010 -0700
summary:     Bug 592001 - Fix v8-regexp regression in wake of patch for bug 558451 (r=igor, CLOSED TREE).

The testcase is messy, so this may or may not have been the changeset that actually fixed the bug.

Updated

7 years ago
Resolution: WORKSFORME → FIXED
Group: core-security
Crash Signature: [@ js::Mark]
You need to log in before you can comment on or make changes to this bug.