Created attachment 653223 [details] stack print(ParallelArray()); asserts js debug shell on m-c changeset 35b8d6ef5d46 without any CLI arguments at Assertion failure: isObject(), This is blowing up the fuzzers so setting [fuzzblocker]. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 102665:ea2ad8970f3e user: Shu-yu Guo date: Fri Aug 17 10:38:59 2012 -0700 summary: Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
Locking s-s because the possibly-related bug 783924 is s-s. The crash in this bug seems to be a null crash though. (setting csec-dos because of null crash)
Crash Signature: [@ js::ParallelArrayObject::toStringBufferImpl]
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → affected
Keywords: csec-dos, sec-critical
Summary: "Assertion failure: isObject()," → Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"
Attachment #653229 - Flags: review? → review?(dmandelin)
Attachment #653229 - Flags: review?(dmandelin) → review+
Assignee: general → shu
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status-firefox17: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
JSBugMon: This bug has been automatically verified fixed.
Keywords: csec-dos, sec-critical → csec-nullptr, sec-other
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
You need to log in before you can comment on or make changes to this bug.