Closed
Bug 875765
Opened 12 years ago
Closed 11 years ago
Assertion failure: index < natoms, at ../jsscript.h:772 or Crash [@ range]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
937 bytes,
text/plain
|
Details | |
|
872 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision df526497d949 (run with --ion-eager):
eval("(function() { \
var f = '';\
var flags = new Array(); \
flags[2] = 'm';\
flags[3] = undefined;\
test();\
function test() {\
for (j in flags)\
f = flags[j];\
}\
" + " })();");
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
S-s because this is a dangerous range assertion and it non-deterministically crashes in opt builds.
|
|
Reporter | |
Comment 3•12 years ago
|
||
Attachment #753772 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 4•12 years ago
|
||
This can also lead to heap crashes with random address not covered by the machine-readable signature here.
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 5•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 132759:b9beff192aa2
user: Brian Hackett
date: Thu May 23 05:59:53 2013 -0600
summary: Bug 864218 - Improve performance when accessing variables defined in run-once closures, r=luke,jandem.
This iteration took 322.733 seconds to run.
|
|
Reporter | |
Comment 6•12 years ago
|
||
Brian, can you take a look based on comment 5? Thanks.
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 7•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 7a2f7a45819a).
|
||
Updated•12 years ago
|
Blocks: 864218
Keywords: regression
|
|
||
Comment 8•12 years ago
|
||
Looks like it went away when bug 864218 was backed out.
|
Assignee | |
Comment 9•12 years ago
|
||
Assignee: general → bhackett1024
Attachment #754882 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 10•12 years ago
|
||
Opening this up since 864218 is no longer in the tree.
Group: core-security
|
||
Updated•12 years ago
|
Attachment #754882 -
Flags: review?(jdemooij) → review+
|
|
||
Comment 11•12 years ago
|
||
(Nice, it looks like this bug caused the DoTypeUpdateFallback topcrash, bug 875757.)
|
|
||
Comment 12•11 years ago
|
||
Fix landed as part of bug 864218.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•