Closed
Bug 722028
Opened 13 years ago
Closed 13 years ago
Assertion failure: static_cast<Cell *>(thing)->isMarked(), at jsgc.cpp:3670
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla13
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
1.53 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 8a59519e137e (options -m -n):
gczeal(4);
var BUGNUMBER = 668024;
var summary =
print(BUGNUMBER + ": " + summary);
var arr = [0, 1, 2, 3, 4, 5, , 7];
var seen = [];
for (var p in arr) {
if (seen.indexOf(unescape) >= 0) {}
arr.splice(2, 3);
seen.push(p);
}
Seems related to incremental GC, so not security relevant for now.
|
Assignee | |
Comment 1•13 years ago
|
||
Looks like this has been missing since write barriers landed. Oops.
Attachment #592799 -
Flags: review?(bhackett1024)
|
||
Updated•13 years ago
|
Attachment #592799 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
Target Milestone: --- → mozilla13
|
||
Comment 3•13 years ago
|
||
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/71f5bf4df2f6 - one of the six in that push was crashing in js::gc::Mark<JSString>
Target Milestone: mozilla13 → ---
|
|
Assignee | |
Comment 4•13 years ago
|
||
Target Milestone: --- → mozilla13
|
||
Comment 5•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 6•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug722028.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•