Closed
Bug 950725
Opened 11 years ago
Closed 11 years ago
Assertion failure: throwing, at jscntxt.h:584 with GC
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
|
1.39 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 9e03cd21db08 (threadsafe build, run with --ion-eager):
function test() {
+ T[g].act
}
gc();
for (var i = 0; i < 20; test['$+']) {
try {
__count__(f(2), 1);
} catch (e) {}
}
|
Reporter | |
Comment 1•11 years ago
|
||
Marked s-s because it involves GC. Jandem is already investigating this one.
Whiteboard: [jsbugmon:update,bisect]
|
Assignee | |
Comment 2•11 years ago
|
||
Silly bug: js_HandleExecutionInterrupt can end up calling clearPendingException (somewhere deep inside the parser, under AttachFinishedCompilations). The getPendingException call in GetAndClearException then fails. This patch gets and clears the pending exception before calling js_HandleExecutionInterrupt.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #8348142 -
Flags: review?(bhackett1024)
|
||
Updated•11 years ago
|
Attachment #8348142 -
Flags: review?(bhackett1024) → review+
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
|
Assignee | |
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/323b1482feec Also has a one-line fix for a VMFunction marking issue exposed by this patch; r=nbp on IRC for that. Not security sensitive, we could get |undefined| instead of the actual exception value but that's not exploitable.
Group: core-security
|
||
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/323b1482feec
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
||
Updated•10 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•