Assertion failure: script->ownerObject == owner, at jsscript.cpp:309
RESOLVED
FIXED
in mozilla10
Status
()
People
(Reporter: decoder, Assigned: billm)
Tracking
(Blocks: 1 bug, {assertion, testcase})
Firefox Tracking Flags
(Not tracked)
Details
(Whiteboard: js-triage-done)
Attachments
(1 attachment)
|
10.34 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 959c1e6bdb11 (options -m -n -a):
gczeal(2);
string=""
for (var i = 0; i < 100; i++ )
hex=newGlobal('same-compartment');
S-s for now because this is GC related.
|
||
Comment 1•7 years ago
|
||
I got this too in jsfunfuzz.
|
||
Comment 2•7 years ago
|
||
And I get this in the browser with RandomJS. (My testcase also uses gczeal.)
|
(Assignee) | |
Comment 3•7 years ago
|
||
Created attachment 562481 [details] [diff] [review] fix This was a bogus assertion, unfortunately. The setOwnerObject call was supposed to happen right after setting u.i.script. But that inadvertently got broken in a few places. I've added a setter to make it less likely for this to happen again.
|
|
(Assignee) | |
Comment 4•7 years ago
|
||
Also, not S-S. Except for the assertion, the code was fine.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
|
||
Updated•7 years ago
|
Attachment #562481 -
Flags: review?(dmandelin) → review+
|
|
(Assignee) | |
Comment 5•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7cf12c7ae38
Target Milestone: --- → mozilla10
|
||
Comment 6•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f7cf12c7ae38
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
|
(Reporter) | |
Comment 7•6 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug688939.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•