Closed
Bug 793513
Opened 12 years ago
Closed 12 years ago
Assertion failure: !unknownProperties(), at ../jsinferinlines.h:1440
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | unaffected |
firefox18 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: Benjamin)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][adv-main18-])
Attachments
(1 file)
1.41 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision e4757379b99a (run with --ion-eager): gczeal(2); function bottomUpTree(item,depth){ return new(function ( left = toString(2.3) , ... depth ) { depth[bottomUpTree] = null; })(null,null,item); } for ( var n = 4; n <= 7; n += 1 ) { var minDepth = 4; var maxDepth = Math.max(minDepth + 2, n); var longLivedTree = bottomUpTree(0,maxDepth); }
Reporter | ||
Comment 1•12 years ago
|
||
This doesn't crash but it contains gczeal so assuming it's GC related and therefore s-s.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update]
Assignee | ||
Comment 2•12 years ago
|
||
I'm not sure who's reviewing TI while bhackett is gone. Dave, feel free to punt.
Attachment #663842 -
Flags: review?(dvander)
Updated•12 years ago
|
No longer blocks: IonFuzz
Summary: IonMonkey: Assertion failure: !unknownProperties(), at ../jsinferinlines.h:1440 → Assertion failure: !unknownProperties(), at ../jsinferinlines.h:1440
Comment on attachment 663842 [details] [diff] [review] only try to set properties if there are no unknown ones Thanks for the patch, Benjamin! I'm sending this over to Jan since he has a better idea of jsinfer guts.
Attachment #663842 -
Flags: review?(dvander) → review?(jdemooij)
Comment 4•12 years ago
|
||
Comment on attachment 663842 [details] [diff] [review] only try to set properties if there are no unknown ones Review of attachment 663842 [details] [diff] [review]: ----------------------------------------------------------------- LGTM, thanks!
Attachment #663842 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/06a996a45063
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/06a996a45063
Assignee: general → benjamin
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox18:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Comment 7•12 years ago
|
||
The being patched does not seem to exist on the esr10 branch; don't know about Firefox 17 or 16
status-firefox-esr10:
--- → unaffected
Assignee | ||
Comment 8•12 years ago
|
||
I believe this is specific to Ion/TI interactions.
status-firefox16:
--- → unaffected
status-firefox17:
--- → unaffected
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main18-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•