Closed
Bug 906024
Opened 12 years ago
Closed 12 years ago
Assertion failure: output.type() == MIRType_Int32, at jit/IonCaches.cpp:1024 or Crash [@ ToPrimitive]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 906035
| Tracking | Status | |
|---|---|---|
| firefox25 | --- | unaffected |
| firefox26 | --- | affected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: efaust)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
1.12 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 1ed5a88cd4d0 (run with --fuzzing-safe --ion-eager):
function y() { return "foo,bar"; }
function x() {
var z = y().split(',');
for (var i = 0; i < z.length; i++) {}
}
gczeal(2);
Object.prototype.length = function () {};
x();
|
Reporter | |
Comment 1•12 years ago
|
||
Actually this should be a security-bug because gczeal is involved and we're crashing after confusing some types.
Group: core-security
Crash Signature: [@ ToPrimitive]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/42776e928f7b
user: Eric Faust
date: Sat Aug 10 22:20:36 2013 -0700
summary: Bug 902264 - Part 2: Expose Array.length optimization to idempotent GetPropertyICs. (r=jandem)
This iteration took 0.737 seconds to run.
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox26:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox26:
--- → +
|
||
Comment 5•12 years ago
|
||
Over IRC, efaust said this is probably a dupe of something he has an unlanded patch for, so I'm just going to assign it to him, and decoder's robots can confirm this, or something.
Assignee: general → efaustbmo
Flags: needinfo?(efaustbmo)
|
Assignee | |
Comment 6•12 years ago
|
||
This is indeed a dupe of 906035, with the same assertion.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•12 years ago
|
tracking-firefox26:
+ → ---
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•