Closed
Bug 959163
Opened 10 years ago
Closed 10 years ago
Crash [@ mozilla::DebugOnly<JS::Zone*>::DebugOnly] with Array.buildPar
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: shu)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
|
559 bytes,
text/plain
|
Details | |
|
1.28 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 12d3ba62a599 (threadsafe build, run with --fuzzing-safe --thread-count=2 --ion-compile-try-catch):
var actual = '';
var formatter = new Intl.NumberFormat();
var f = function() {
return Array.buildPar(256, function(i) {
var x = [];
x[actual] = i;
}, {mode:"compile"});
};
f();
f();
|
Reporter | |
Comment 1•10 years ago
|
||
Options got a bit messed up, thread count and --ion-compile-try-catch isn't needed for this.
|
|
Reporter | |
Comment 2•10 years ago
|
||
|
Assignee | |
Comment 3•10 years ago
|
||
PropertyTree::lookupChild can return a null Shape *. Only do the debug zone asserts on non-null Shape *s.
Attachment #8361410 -
Flags: review?(jorendorff)
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → shu
Status: NEW → ASSIGNED
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8361410 [details] [diff] [review] Fix debug asserts in PropertyTree::lookupChild. Review of attachment 8361410 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay here.
Attachment #8361410 -
Flags: review?(jorendorff) → review+
|
||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1f44e9a52d8e
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
|
Reporter | |
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 6•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
You need to log in
before you can comment on or make changes to this bug.
Description
•