"Assertion failure: ctorValue.isObject() && ctorValue.toObject().is<JSFunction>()" with Worker and ParallelArray

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
4 years ago
26 days ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, sec-high, testcase})

Trunk
x86_64
Mac OS X
assertion, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox26 disabled, firefox27 disabled, firefox28 disabled, firefox29 disabled, firefox30 disabled, firefox31 affected, firefox-esr24 disabled, b2g18 unaffected)

Details

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 8339685 [details]
testcase with fragile timing

Assertion failure: ctorValue.isObject() && ctorValue.toObject().is<JSFunction>(), at js/src/builtin/ParallelArray.cpp:121
(Reporter)

Comment 1

4 years ago
Created attachment 8339686 [details]
stack (lldb)
(Reporter)

Updated

4 years ago
Group: core-security
status-b2g18: --- → unaffected
status-firefox26: --- → disabled
status-firefox27: --- → disabled
status-firefox28: --- → disabled
status-firefox29: --- → affected
status-firefox-esr24: --- → disabled
status-firefox28: disabled → affected
status-firefox29: affected → ---
status-firefox28: affected → disabled
status-firefox29: --- → affected
Keywords: sec-high
Group: javascript-core-security
Niko, could you look into this?  Thanks.
status-firefox29: affected → disabled
status-firefox30: --- → disabled
status-firefox31: --- → affected
Flags: needinfo?(nmatsakis)
I am confused. This is running on the trunk? I don't see how that could be, since builtin/ParallelArray.h was long ago removed.
Flags: needinfo?(nmatsakis) → needinfo?(jruderman)
(Reporter)

Comment 4

4 years ago
I reported this in November. ParallelArray was removed in December (bug 944074).
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(jruderman)
Resolution: --- → WORKSFORME
Group: javascript-core-security

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.