Closed
Bug 880529
Opened 11 years ago
Closed 11 years ago
Assertion failure: rangeStart <= rangeEnd, at mozilla/RangedPtr.h:75 or Crash [@ leftChild] or Opt-Crash [@ JSRope::flattenInternal]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:update,reconfirm])
Crash Data
Attachments
(1 file)
|
1.14 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 204de5b7e0a6 (run with --ion-eager):
function startTest() {}
function writeHeaderToLog( string ) {
unescape(string);
}
writeHeaderToLog("");
writeHeaderToLog("");
evaluate('writeHeaderToLog(startTest.prototype);', { noScriptRval : true });
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
This reduced test crashes with a null-deref, but previous stages also showed the mentioned assert and dangerous crashes. Assuming there's something wrong with strings and marking as sec-high therefore.
Crash Signature: [@ leftChild]
[@ JSRope::flattenInternal]
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ leftChild]
[@ JSRope::flattenInternal] → [@ leftChild]
[@ JSRope::flattenInternal]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9ca690835a5e). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/e1bca8b56470 user: Jan de Mooij date: Fri May 24 14:03:31 2013 +0200 summary: Bug 868431 - Disable Ion when Baseline is disabled, remove bailout-to-interpreter code. r=djvj This iteration took 20.086 seconds to run.
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ leftChild]
[@ JSRope::flattenInternal] → [@ leftChild]
[@ JSRope::flattenInternal]
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ leftChild]
[@ JSRope::flattenInternal] → [@ leftChild]
[@ JSRope::flattenInternal]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/7df36088f645 user: Kannan Vijayan date: Wed Jun 05 16:42:23 2013 -0400 summary: Bug 877287. r=h4writer This iteration took 0.649 seconds to run.
|
|
Reporter | |
Comment 5•11 years ago
|
||
Djvj, is comment 4 likely a fix?
Crash Signature: [@ leftChild]
[@ JSRope::flattenInternal] → [@ leftChild]
[@ JSRope::flattenInternal]
|
|
Reporter | |
Updated•11 years ago
|
Flags: needinfo?(kvijayan)
|
||
Comment 6•11 years ago
|
||
I can't reproduce this even when I back out my changes. Looking at the code and crash signature, I don't think comment 4 fixes this issue.
Flags: needinfo?(kvijayan)
|
||
Comment 7•11 years ago
|
||
I can't reproduce this. decoder does the fuzzer still hit this? The testcase is very small so if the bug is still there it should still show up I think.
Flags: needinfo?(choller)
Whiteboard: [jsbugmon:] → [jsbugmon:update,reconfirm]
|
|
Reporter | |
Comment 8•11 years ago
|
||
Talked to jandem on IRC. This test doesn't reproduce anymore and we don't have the fixing changeset (because comment 4 doesn't seem to be right), but the test is very simple and we're confident that this is either gone, or it will pop up in the fuzzers again.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•