Closed
Bug 783923
Opened 12 years ago
Closed 12 years ago
Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla17
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | --- | unaffected |
firefox16 | --- | unaffected |
firefox17 | --- | verified |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: shu)
References
Details
(5 keywords, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(3 files)
print(ParallelArray()); asserts js debug shell on m-c changeset 35b8d6ef5d46 without any CLI arguments at Assertion failure: isObject(), This is blowing up the fuzzers so setting [fuzzblocker]. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 102665:ea2ad8970f3e user: Shu-yu Guo date: Fri Aug 17 10:38:59 2012 -0700 summary: Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
Reporter | ||
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 1•12 years ago
|
||
Locking s-s because the possibly-related bug 783924 is s-s. The crash in this bug seems to be a null crash though. (setting csec-dos because of null crash)
Crash Signature: [@ js::ParallelArrayObject::toStringBufferImpl]
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → affected
Keywords: csec-dos,
sec-critical
Summary: "Assertion failure: isObject()," → Crash [@ js::ParallelArrayObject::toStringBufferImpl] or "Assertion failure: isObject(),"
Reporter | ||
Comment 2•12 years ago
|
||
Assignee | ||
Comment 3•12 years ago
|
||
Assignee | ||
Updated•12 years ago
|
Attachment #653229 -
Flags: review?
Assignee | ||
Updated•12 years ago
|
Attachment #653229 -
Flags: review? → review?(dmandelin)
Updated•12 years ago
|
Attachment #653229 -
Flags: review?(dmandelin) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d194a7d36e65
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d194a7d36e65
Assignee: general → shu
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Group: core-security
Comment 7•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•