Closed Bug 914098 Opened 11 years ago Closed 11 years ago

Assertion failure: !unknownObject(), at jsinferinlines.h:1378

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla26

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

[crash-signature] Machine-readable crash signature
654 bytes, text/plain
Details
patch
1.60 KB, patch
jandem
: review+
Details | Diff | Splinter Review
stack of hitting this on google map maker
17.43 KB, text/plain
Details 
The following testcase asserts on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe):


function ygTreeView(id) {};
function ygNode() {}
ygNode.prototype.init = function () {
    this.children = [];
}
ygTextNode.prototype = new ygNode;
function ygTextNode() {
    this.init(it.next.bind(it), StopIteration)
}
userTree = new ygTreeView("userTree")
addMenuNode(userTree)
function addMenuNode(tree) {
    new ygTextNode({}, tree.root, false)
}
seems this also happens in realworld sites since bughunter was also discovering sites with this assertion
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/abb25a18b5a5
user:        Brian Hackett
date:        Mon Sep 02 10:05:27 2013 -0700
summary:     Bug 906788 - Construct TypeObject newScript information using MIR, r=jandem.

This iteration took 339.772 seconds to run.
Needinfo from Brian based on comment 3 :)
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
Assignee: general → bhackett1024

        Attachment #802515 -
        Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)

        Attachment #802515 -
        Flags: review?(jdemooij) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b713e1beae22
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26

    
    

    
  


  
I hit this crash on a link from email from Google Map Maker.

2b26501fd203 (i.e., without the fix)

    
    

    
  
(In reply to David Baron [:dbaron] (needinfo? me) (busy through Sept. 14) from comment #8)
> Created attachment 803767 [details]
> stack of hitting this on google map maker
> 
> I hit this crash on a link from email from Google Map Maker.
> 
> 2b26501fd203 (i.e., without the fix)

I think the patch should fix this crash.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: