Closed
Bug 831658
Opened 12 years ago
Closed 12 years ago
"Assertion failure: inUse_.empty(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | --- | unaffected |
firefox20 | --- | unaffected |
firefox21 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
3.59 KB,
text/plain
|
Details | |
945 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
String.prototype.search = evalcx('').String.prototype.search
x = /./.test()
''.search(/()/)
asserts js debug shell on m-c changeset ce9cdd801a73 without any CLI arguments at Assertion failure: inUse_.empty(),
s-s because gc is on the stack.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 118977:f2e3d3913d70
user: Sean Stangl
date: Tue Jan 15 15:35:25 2013 -0800
summary: Bug 829758 - use MatchOnly mode for str_search(). r=dvander
Reporter | ||
Comment 1•12 years ago
|
||
Sean, this seems to point to bug 829758 as the regressor.
status-b2g18:
--- → unaffected
status-firefox-esr10:
--- → unaffected
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
Flags: needinfo?(sstangl)
Reporter | ||
Updated•12 years ago
|
tracking-firefox21:
--- → ?
Reporter | ||
Comment 2•12 years ago
|
||
Tentatively rating sec-critical, because compartments and gc are on the stack.
Reporter | ||
Updated•12 years ago
|
Keywords: sec-critical
Comment 3•12 years ago
|
||
evalcx() lets multiple RegExpStatics leak into the same RegExpCompartment's RegExpShared usage table. This is safe: we just need to iterate in the destructor.
Attachment #703610 -
Flags: review?(dvander)
Flags: needinfo?(sstangl)
Updated•12 years ago
|
Attachment #703610 -
Flags: review?(dvander) → review+
Reporter | ||
Updated•12 years ago
|
Keywords: checkin-needed
Comment 4•12 years ago
|
||
Flags: in-testsuite+
Reporter | ||
Updated•12 years ago
|
Keywords: checkin-needed
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 5•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 02e12a80aef9).
Reporter | ||
Comment 6•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Target Milestone: --- → mozilla21
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update]
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 7•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•