Closed Bug 707816 Opened 13 years ago Closed 13 years ago

[IncrementalGC] Crash [@ IteratorNext [inlined]] or "Assertion failure: !aheader->hasFreeThings(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: billm)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

stacks
7.82 KB, text/plain
Details
Attached file stacks
RegExp.prototype.__proto__[2] = 2 Function("\ for(z in[0]) {\ for(e in ((ArrayBuffer)(725485439)))\ print\ }\ ")() asserts js debug shell on larch changeset 52c1d5dc6aad without any CLI arguments at Assertion failure: !aheader->hasFreeThings(), and crashes js opt shell at IteratorNext [inlined] This was found using a combination of jsfunfuzz and jandem's method fuzzer. (not sure how correct this is): autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 81187:52c1d5dc6aad tag: tip parent: 80945:17869dea1813 parent: 81186:6180c68bffbf user: Bill McCloskey date: Fri Dec 02 14:07:41 2011 -0800 summary: Merge mozilla-central to larch
This seems to have been fixed by https://hg.mozilla.org/projects/larch/rev/eeaf42070e8a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ IteratorNext [inlined]]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: