Closed
Bug 688939
Opened 11 years ago
Closed 11 years ago
Assertion failure: script->ownerObject == owner, at jsscript.cpp:309
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-done)
Attachments
(1 file)
|
10.34 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 959c1e6bdb11 (options -m -n -a):
gczeal(2);
string=""
for (var i = 0; i < 100; i++ )
hex=newGlobal('same-compartment');
S-s for now because this is GC related.
|
||
Comment 1•11 years ago
|
||
I got this too in jsfunfuzz.
|
||
Comment 2•11 years ago
|
||
And I get this in the browser with RandomJS. (My testcase also uses gczeal.)
|
Assignee | |
Comment 3•11 years ago
|
||
This was a bogus assertion, unfortunately. The setOwnerObject call was supposed to happen right after setting u.i.script. But that inadvertently got broken in a few places. I've added a setter to make it less likely for this to happen again.
|
|
Assignee | |
Comment 4•11 years ago
|
||
Also, not S-S. Except for the assertion, the code was fine.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
|
||
Updated•11 years ago
|
Attachment #562481 -
Flags: review?(dmandelin) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7cf12c7ae38
Target Milestone: --- → mozilla10
|
||
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f7cf12c7ae38
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 7•10 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug688939.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•