"Assertion failure: key == JSProto_Int8Array || key == JSProto_Uint8Array || key == JSProto_Int16Array || key == JSProto_Uint16Array || key == JSProto_Int32Array || key == JSProto_Uint32Array || .." (truncated because assertion message is too long)

RESOLVED DUPLICATE of bug 757682

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 757682
6 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 626980 [details]
stack

x = [];
x.unshift(ArrayBuffer());
x.map(DataView);

asserts js debug shell on m-c changeset c20d415ef1b5 with -n at Assertion failure: key == JSProto_Int8Array || key == JSProto_Uint8Array || key == JSProto_Int16Array || key == JSProto_Uint16Array || key == JSProto_Int32Array || key == JSProto_Uint32Array || key == JSProto_Float32Array || key == JSProto_Float64Array || key == JSProto_Uint8ClampedArray,

ArrayBuffer bugs have been known to be s-s in the past, so setting this one s-s as well unless otherwise shown.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   94163:73b380d3edd8
user:        Steve Fink
date:        Wed Mar 28 14:43:02 2012 -0700
summary:     Bug 741041 - Use UnwrapObjectChecked, and ensure ArrayBufferViews and their buffers are in the same compartment. r=luke
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 757682
Group: core-security
You need to log in before you can comment on or make changes to this bug.