Closed
Bug 729910
Opened 13 years ago
Closed 13 years ago
Assertion failure: str, at ../../jsval.h:702 or Crash [@ JSString::isAtom] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla13
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: assertion, crash, testcase, Whiteboard: js-triage-needed)
Crash Data
Attachments
(1 file)
|
842 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 9bde0d25d76e (options -m -n -a):
var lfcode = new Array();
lfcode.push("function test()\
gc();\
gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4*1024);\
function complexMult(a, b) {\
function complexAdd(a, b) {\
function abs(a) {\
function computeEscapeSpeed(c) {\
function createMandelSet(realRange, imagRange) {}\
}\
}\
}\
}\
");
lfcode.push("function testLambdaCtor( _ ) {\
for (var x = 0; x < 2; ++x) {\
var f = function(){};\
if (x == 1) gc();\
q = new f;\
}\
return q.__proto__ === (testLambdaCtor(\"9.2.1.7 XMLList [[DeepCopy]]\"));\
}\
assertEq(testLambdaCtor(), true);\
");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
if (file == "evaluate") {
} else {
evaluate(file); //loadFile(file);
}
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) == ".js") {
} else {
evaluate(lfVarx);
}
} catch (lfVare) { }
}
Originally, this asserted as:
Assertion failure: !hasLazyType(), at ../jsobj.h:867
Crashes afterwards seem like safe null-pointer crashes (probably due to OOM).
|
Assignee | |
Comment 1•13 years ago
|
||
Missing null check.
|
||
Updated•13 years ago
|
Attachment #600065 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
Target Milestone: --- → mozilla13
|
||
Comment 3•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•