Closed
Bug 831658
Opened 10 years ago
Closed 10 years ago
"Assertion failure: inUse_.empty(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | --- | unaffected |
firefox20 | --- | unaffected |
firefox21 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
3.59 KB,
text/plain
|
Details | |
945 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
String.prototype.search = evalcx('').String.prototype.search x = /./.test() ''.search(/()/) asserts js debug shell on m-c changeset ce9cdd801a73 without any CLI arguments at Assertion failure: inUse_.empty(), s-s because gc is on the stack. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 118977:f2e3d3913d70 user: Sean Stangl date: Tue Jan 15 15:35:25 2013 -0800 summary: Bug 829758 - use MatchOnly mode for str_search(). r=dvander
![]() |
Reporter | |
Comment 1•10 years ago
|
||
Sean, this seems to point to bug 829758 as the regressor.
status-b2g18:
--- → unaffected
status-firefox-esr10:
--- → unaffected
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
Flags: needinfo?(sstangl)
![]() |
Reporter | |
Updated•10 years ago
|
tracking-firefox21:
--- → ?
![]() |
Reporter | |
Comment 2•10 years ago
|
||
Tentatively rating sec-critical, because compartments and gc are on the stack.
![]() |
Reporter | |
Updated•10 years ago
|
Keywords: sec-critical
Comment 3•10 years ago
|
||
evalcx() lets multiple RegExpStatics leak into the same RegExpCompartment's RegExpShared usage table. This is safe: we just need to iterate in the destructor.
Attachment #703610 -
Flags: review?(dvander)
Flags: needinfo?(sstangl)
![]() |
||
Updated•10 years ago
|
Attachment #703610 -
Flags: review?(dvander) → review+
![]() |
Reporter | |
Updated•10 years ago
|
Keywords: checkin-needed
Comment 4•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e7658d7727c
Flags: in-testsuite+
![]() |
Reporter | |
Updated•10 years ago
|
Keywords: checkin-needed
Updated•10 years ago
|
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 5•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 02e12a80aef9).
![]() |
Reporter | |
Comment 6•10 years ago
|
||
This landed. http://hg.mozilla.org/mozilla-central/rev/4e7658d7727c
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Target Milestone: --- → mozilla21
![]() |
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update]
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 7•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•