Closed Bug 831658 Opened 8 years ago Closed 8 years ago

"Assertion failure: inUse_.empty(),"

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla21
Tracking Status
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Attached file stack
String.prototype.search = evalcx('').String.prototype.search
x = /./.test()
''.search(/()/)

asserts js debug shell on m-c changeset ce9cdd801a73 without any CLI arguments at Assertion failure: inUse_.empty(),

s-s because gc is on the stack.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   118977:f2e3d3913d70
user:        Sean Stangl
date:        Tue Jan 15 15:35:25 2013 -0800
summary:     Bug 829758 - use MatchOnly mode for str_search(). r=dvander
Sean, this seems to point to bug 829758 as the regressor.
Tentatively rating sec-critical, because compartments and gc are on the stack.
Attached patch fixSplinter Review
evalcx() lets multiple RegExpStatics leak into the same RegExpCompartment's RegExpShared usage table. This is safe: we just need to iterate in the destructor.
Attachment #703610 - Flags: review?(dvander)
Flags: needinfo?(sstangl)
Attachment #703610 - Flags: review?(dvander) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 02e12a80aef9).
This landed.

http://hg.mozilla.org/mozilla-central/rev/4e7658d7727c
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Target Milestone: --- → mozilla21
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update]
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.