Closed
Bug 935006
Opened 11 years ago
Closed 11 years ago
Assertion failure: slotInRange(slot), at ../vm/ObjectImpl.h:1339 or Crash [@ getSlotAddressUnchecked]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
989 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 770de5942471 (threadsafe build, no options required):
function testx() {
var BUGNUMBER = '';
var summary = '';
var actual = '';
test(BUGNUMBER);
function test() {
try {
(function () { eval("'foo'.b()", arguments) })();
} catch(ex) {
actual = ex + '';
}
}
} testx();
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
Crash Signature: [@ getSlotAddressUnchecked]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/495a9c210b91
user: Jan de Mooij
date: Mon Nov 04 11:40:24 2013 +0100
summary: Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett
This iteration took 430.105 seconds to run.
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox27:
--- → unaffected
status-firefox28:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5446435cc94a).
|
||
Comment 4•11 years ago
|
||
This was fixed by backing out bug 933798.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Keywords: regression
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 5•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•