Closed
Bug 817444
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: isAtom(), at ../../vm/String.h:380
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 820186
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
5.91 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 2533bce8e045 (run with --ion-eager):
var lfcode = new Array();
lfcode.push("4");
lfcode.push("");
lfcode.push("0");
lfcode.push("reportCompare();");
lfcode.push("\
gczeal(10,2)\n\
function testScatterConflict() {\n\
var p = new ParallelArray([1,2,3,4,5]);\n\
}\n\
testScatterConflict();\n\
");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
if (file == "evaluate") {
} else {
loadFile(file);
}
}
function loadFile(lfVarx) {
try {
if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
switch (lfRunTypeId) {
case 0: evaluate(lfVarx); break;
case 4: print(lfVarx); evaluate(lfVarx,{ newContext: true, compileAndGo: true, global: newGlobal('new-compartment') }); break;
}
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
}
} catch (lfVare) {}
}
|
Reporter | |
Comment 1•12 years ago
|
||
Marking s-s because the test is not stable and involves GC, likely a memory corruption.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
|
||
Comment 2•12 years ago
|
||
Looks like a crash in TI.
If you replace the |ParallelArray| line with another constructor, like |TypedArray|, the testcase still crashes. Absolving myself of trying to debug this; not enough spare cycles at the moment.
CCing bhackett also.
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 114220:f55177f70719
user: Jon Coppeard
date: Fri Nov 16 15:34:22 2012 +0000
summary: Bug 790338 - Sweep compartments in groups r=billm
This iteration took 0.300 seconds to run.
|
|
Reporter | |
Comment 5•12 years ago
|
||
Jon, can you take a look and propose a security rating for the bug? It could also be a duplicate to bug 820349 or bug 820215 since it contains gczeal(10).
Flags: needinfo?(jcoppeard)
|
|
||
Comment 6•12 years ago
|
||
Brief discussion with bhackett on IRC:
< bhackett> shu: it looks like the TypeObject's propid got swept out from under it
That sounds similar to bug 820186.
|
Assignee | |
Updated•12 years ago
|
Assignee: general → jcoppeard
|
|
Assignee | |
Comment 8•12 years ago
|
||
This is the same issue as bug 820186 - marking as duplicate.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•