Closed
Bug 831658
Opened 8 years ago
Closed 8 years ago
"Assertion failure: inUse_.empty(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | unaffected |
| firefox19 | --- | unaffected |
| firefox20 | --- | unaffected |
| firefox21 | + | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
3.59 KB,
text/plain
|
Details | |
|
945 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
String.prototype.search = evalcx('').String.prototype.search
x = /./.test()
''.search(/()/)
asserts js debug shell on m-c changeset ce9cdd801a73 without any CLI arguments at Assertion failure: inUse_.empty(),
s-s because gc is on the stack.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 118977:f2e3d3913d70
user: Sean Stangl
date: Tue Jan 15 15:35:25 2013 -0800
summary: Bug 829758 - use MatchOnly mode for str_search(). r=dvander
|
Reporter | |
Comment 1•8 years ago
|
||
Sean, this seems to point to bug 829758 as the regressor.
status-b2g18:
--- → unaffected
status-firefox-esr10:
--- → unaffected
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
Flags: needinfo?(sstangl)
|
|
Reporter | |
Updated•8 years ago
|
tracking-firefox21:
--- → ?
|
|
Reporter | |
Comment 2•8 years ago
|
||
Tentatively rating sec-critical, because compartments and gc are on the stack.
|
|
Reporter | |
Updated•8 years ago
|
Keywords: sec-critical
|
||
Comment 3•8 years ago
|
||
evalcx() lets multiple RegExpStatics leak into the same RegExpCompartment's RegExpShared usage table. This is safe: we just need to iterate in the destructor.
Attachment #703610 -
Flags: review?(dvander)
Flags: needinfo?(sstangl)
Attachment #703610 -
Flags: review?(dvander) → review+
|
|
Reporter | |
Updated•8 years ago
|
Keywords: checkin-needed
|
|
||
Comment 4•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e7658d7727c
Flags: in-testsuite+
|
|
Reporter | |
Updated•8 years ago
|
Keywords: checkin-needed
|
||
Updated•8 years ago
|
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 5•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 02e12a80aef9).
|
|
Reporter | |
Comment 6•8 years ago
|
||
This landed. http://hg.mozilla.org/mozilla-central/rev/4e7658d7727c
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Target Milestone: --- → mozilla21
|
|
Reporter | |
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update]
|
|
||
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 7•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•