Closed
Bug 771027
Opened 13 years ago
Closed 13 years ago
Assertion failure: isObject(), at ../../jsapi.h:474 or Opt Crash [@ js_IteratorMore]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: decoder, Assigned: jorendorff)
References
Details
(4 keywords, Whiteboard: [js:p2][jsbugmon:update])
Crash Data
Attachments
(1 file)
|
2.44 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test asserts/crashes on mozilla-central revision b6aa44d8f11f (options -m -n -a):
Array.prototype.iterator = (function() { { while(0) function Uint8ClampedArray() { } } });
assertEq(Set(["testing", "testing", 123]).size(), 2);
Opt-crash trace:
==35441== Invalid read of size 4
==35441== at 0x80CE74F: js_IteratorMore(JSContext*, JS::Handle<JSObject*>, JS::Value*) (jsiter.cpp:1762)
==35441== by 0xFFFFFF81: ???
==35441== Address 0x0 is not stack'd, malloc'd or (recently) free'd
|
||
Comment 1•13 years ago
|
||
The first bad revision is:
changeset: cb49c3730a97
user: Jason Orendorff
date: Tue Jul 03 16:34:56 2012 -0500
summary: Bug 725907 - for-of improvements, part 2: Make for-of loops just call .iterator() instead of using the magic iteratorObject hook with an extra flag. r=bhackett.
The first good revision is:
changeset: aadf6091245b
user: Ehsan Akhgari
date: Wed Jul 04 19:26:20 2012 -0400
summary: Backout changeset cb49c3730a97 (bug 725907 part 2) under the suspicion of breaking Linux32 mochitest-chrome without framepointers
Blocks: 725907
Keywords: regression
|
Assignee | |
Comment 2•13 years ago
|
||
Reproduced. Even without -m -n -a. Taking.
Assignee: general → jorendorff
|
|
Assignee | |
Comment 3•13 years ago
|
||
Yup. Easy fix. Right on, fuzzers.
Attachment #639693 -
Flags: review?(bhackett1024)
|
||
Updated•13 years ago
|
Attachment #639693 -
Flags: review?(bhackett1024) → review+
|
|
||
Comment 4•13 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #3)
> Created attachment 639693 [details] [diff] [review]
> v1
>
> Yup. Easy fix. Right on, fuzzers.
Unfortunately, I think the patch now has a little bit of bitrot to land on mozilla-inbound.
|
|
Assignee | |
Comment 5•13 years ago
|
||
No worries. The Map/Set iterators were backed out due to unrelated brain damage, but when I reland them, I'll land this fix along with them.
|
|
||
Updated•13 years ago
|
Whiteboard: js-triage-needed [jsbugmon:update] → [js:p2][jsbugmon:update]
|
|
||
Comment 6•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
|
Reporter | |
Comment 7•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•