Closed
Bug 851796
Opened 11 years ago
Closed 11 years ago
IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1795 or Crash on Heap with use of uninitialized value
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 852140
People
(Reporter: decoder, Unassigned)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
The following testcase asserts on mozilla-central revision 8f5b1f9f5804 (run with --ion-eager): function reportCompare (expected, actual, description) { if (expected != actual) {} } function enterFunc (funcName) { try {} catch(ex) {} } function foreachbug() { var arryInner = ["innervalue2"]; for each (i in arryInner) return ''; } reportCompare('', foreachbug()); eval("\ test();\ function test() {\ enterFunc ('test');\ var array = Array();\ for (var expect = 0; expect < 9; expect++)\ array[i] = i;\ reportCompare(expect, actual, summary);\ }\ ");
Reporter | ||
Comment 1•11 years ago
|
||
Same assert as bug 850657, but this one also crashes on opt builds in a dangerous way: ==14376== Use of uninitialised value of size 4 ==14376== at 0x557556D: ??? ==14376== ==14376== Invalid read of size 4 ==14376== at 0x557556D: ??? ==14376== Address 0x9f58 is not stack'd, malloc'd or (recently) free'd Not sure if this is the same bug.
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 122585:437c955ff06d user: Nicolas B. Pierron date: Wed Jan 30 07:41:01 2013 -0800 summary: Bug 796114 - Inline with type-checked arguments. r=h4writer This iteration took 14.300 seconds to run.
Comment 3•11 years ago
|
||
This test case is fixed by bug 852140 patch.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•