Closed
Bug 936013
Opened 11 years ago
Closed 11 years ago
Assertion failure: is<T>(), at ../jsobj.h:1156 or Crash [@ getClass] with neuter
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
People
(Reporter: decoder, Assigned: sfink)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 3 obsolete files)
|
1.14 KB,
text/plain
|
Details | |
|
1.08 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 70de5e24d79b (run with --fuzzing-safe):
function TestCase(n, d, e, a)
TestCase.prototype.dump = function () {};
var ab = new TestCase(12);
neuter(ab);
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Attachment #828673 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 3•11 years ago
|
||
Attachment #829847 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 4•11 years ago
|
||
This also crashes in some situations.
Crash Signature: [@ getClass]
Keywords: crash
Summary: Assertion failure: is<T>(), at ../jsobj.h:1156 with neuter → Assertion failure: is<T>(), at ../jsobj.h:1156 or Crash [@ getClass] with neuter
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 5•11 years ago
|
||
Attachment #830125 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 6•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/0d14c2de356e
user: Steve Fink
date: Tue Nov 05 14:42:16 2013 -0800
summary: Bug 935173 - Fix JS_NeuterArrayBuffer and call it, r=Waldo
This iteration took 1.092 seconds to run.
|
Assignee | |
Comment 7•11 years ago
|
||
Just can't get a break from those fuzzers... ;-)
Attachment #831010 -
Flags: review?(jwalden+bmo)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: general → sphink
Status: NEW → ASSIGNED
|
||
Comment 8•11 years ago
|
||
Comment on attachment 831010 [details] [diff] [review]
Type check JS_NeuterArrayBuffer argument
Review of attachment 831010 [details] [diff] [review]:
-----------------------------------------------------------------
Stealing review.
Attachment #831010 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 9•11 years ago
|
||
|
||
Comment 10•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
||
Comment 11•11 years ago
|
||
I get nothing with Nightly js shell from 2013-11-07 on Ubuntu 13.10 64bit.
With FF 28 beta 2 shell I get: "Error: ArrayBuffer object required"
Any idea on this?
Flags: needinfo?(sphink)
|
|
||
Comment 13•11 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #12)
> That error message is the correct behavior.
Thanks for the reply.
Marking as verified.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in
before you can comment on or make changes to this bug.
Description
•