Last Comment Bug 783923 - Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"
: Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: ...
Status: VERIFIED FIXED
[fuzzblocker]
: assertion, csectype-nullptr, regression, sec-other, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: mozilla17
Assigned To: Shu-yu Guo [:shu]
: general
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz 778559 783924
  Show dependency treegraph
 
Reported: 2012-08-19 17:08 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:03 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
unaffected
unaffected
verified
unaffected


Attachments
stack (7.63 KB, text/plain)
2012-08-19 17:08 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
stack from opt crash (6.92 KB, text/plain)
2012-08-19 17:27 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
fix and testcase (3.74 KB, patch)
2012-08-19 17:37 PDT, Shu-yu Guo [:shu]
dmandelin: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-08-19 17:08:48 PDT
Created attachment 653223 [details]
stack

print(ParallelArray());

asserts js debug shell on m-c changeset 35b8d6ef5d46 without any CLI arguments at Assertion failure: isObject(),

This is blowing up the fuzzers so setting [fuzzblocker].

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102665:ea2ad8970f3e
user:        Shu-yu Guo
date:        Fri Aug 17 10:38:59 2012 -0700
summary:     Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-08-19 17:25:48 PDT
Locking s-s because the possibly-related bug 783924 is s-s. The crash in this bug seems to be a null crash though.

(setting csec-dos because of null crash)
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-08-19 17:27:47 PDT
Created attachment 653228 [details]
stack from opt crash
Comment 3 Shu-yu Guo [:shu] 2012-08-19 17:37:31 PDT
Created attachment 653229 [details] [diff] [review]
fix and testcase
Comment 5 Ed Morley [:emorley] 2012-08-21 06:57:55 PDT
https://hg.mozilla.org/mozilla-central/rev/d194a7d36e65
Comment 6 Christian Holler (:decoder) 2012-08-21 07:59:25 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 7 Christian Holler (:decoder) 2013-01-19 14:03:34 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.