Closed
Bug 831055
Opened 12 years ago
Closed 12 years ago
"Assertion failure: [infer failure] Missing type in object [0x241d1f0] lastIndex: float,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox20 | + | fixed |
| firefox21 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:][adv-main20+] YARR bug on Win64)
Attachments
(1 file)
|
7.62 KB,
text/plain
|
Details |
r = RegExp("(?!})()?", "g");
r.test();
r.lastIndex;
asserts js debug shell on m-c changeset 56ff556e74d9 with -a at Assertion failure: [infer failure] Missing type in object [0x241d1f0] lastIndex: float,
Tested on 64-bit. s-s because this is an inference failure.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 116119:b7e2ba73b2ff
user: Sean Stangl
date: Wed Dec 12 18:11:28 2012 -0800
summary: Bug 808245, Part 6/6 - Add MatchOnly mode and lazify RegExpStatics.
r=dvander
|
||
Comment 1•12 years ago
|
||
This is probably another instance of Bug 826581. Anything involving search(), test(), or replace() will have random behavior on Win64 until that bug is fixed.
|
|
||
Comment 2•12 years ago
|
||
That should read "Bug 826588".
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 3•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
||
Comment 4•12 years ago
|
||
Marking as moderate because it is probably Win64 only.
Keywords: sec-moderate
Whiteboard: [jsbugmon:] → [jsbugmon:] YARR bug on Win64
|
|
||
Comment 5•12 years ago
|
||
Gary, this also should have been fixed by Makoto's recent patch in Bug 830676.
Flags: needinfo?(gary)
|
Reporter | |
Comment 6•12 years ago
|
||
I verify that the assertion no longer occurs with the testcase. Setting in-testsuite? and assuming fixed by bug 830676.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(gary) → in-testsuite?
Resolution: --- → FIXED
|
|
Reporter | |
Updated•12 years ago
|
status-firefox21:
--- → fixed
|
||
Comment 7•12 years ago
|
||
Can we land 830676 on Aurora? This bug occurs on at least Firefox 20 based on when it was filed.
status-b2g18:
--- → unaffected
status-firefox20:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox20:
--- → +
tracking-firefox21:
--- → +
Keywords: sec-moderate → sec-high
|
|
||
Comment 8•12 years ago
|
||
of course bug 830676 claims it's fixing a regression in Firefox 21 so it's not clear how it fixed this older bug. Maybe there's a part of it to back-port?
|
|
Reporter | |
Comment 9•12 years ago
|
||
Sean, does the patch in bug 830676 need to be backported to Aurora?
I marked this bug as affecting 20 but bug 830676 (which fixes this bug) is set as not affecting 20.
Flags: needinfo?(sstangl)
|
|
||
Comment 10•12 years ago
|
||
(In reply to Gary Kwong [:gkw] (intermittent Feb 8 - Feb 19) from comment #9)
> Sean, does the patch in bug 830676 need to be backported to Aurora?
>
> I marked this bug as affecting 20 but bug 830676 (which fixes this bug) is
> set as not affecting 20.
Aurora is affected by Bug 830676. I'll set the bits.
Flags: needinfo?(sstangl)
|
||
Comment 11•12 years ago
|
||
Bug 830676 got uplifted and marked fixed on FF 20 - is there anything left here to do for FF 20?
|
|
Reporter | |
Comment 12•12 years ago
|
||
(In reply to Lukas Blakk [:lsblakk] from comment #11)
> Bug 830676 got uplifted and marked fixed on FF 20 - is there anything left
> here to do for FF 20?
Nope. I verified that it has been fixed for FF 20 (mozilla-beta now).
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:] YARR bug on Win64 → [jsbugmon:][adv-main20+] YARR bug on Win64
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•