Closed
Bug 1032206
Opened 10 years ago
Closed 10 years ago
Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp:314 with Symbol
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
| Tracking | Status | |
|---|---|---|
| firefox33 | --- | affected |
People
(Reporter: decoder, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision b6408c32a170 (run with --fuzzing-safe):
gczeal(4);
var symbols = [ Symbol(), Symbol.iterator ];
for (var comparator of [">", ">="])
for (var a of symbols) {}
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
Marked s-s because it's GC-related.
status-firefox33:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•10 years ago
|
Flags: needinfo?(jorendorff)
|
Assignee | |
Comment 3•10 years ago
|
||
Assignee: nobody → jorendorff
Attachment #8448260 -
Flags: review?(terrence)
Flags: needinfo?(jorendorff)
|
|
Assignee | |
Comment 4•10 years ago
|
||
This isn't s-s, as it turns out, because the assertion is bogus. (I introduced a situation the verifier didn't know about and neglected to update the verifier.)
Group: core-security
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8448260 [details] [diff] [review]
bug-1032206-gc-v1.patch
Review of attachment 8448260 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks! r=me
Attachment #8448260 -
Flags: review?(terrence) → review+
|
||
Comment 6•10 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d8e2600e9aa3
user: Jason Orendorff
date: Mon Jun 23 10:56:49 2014 -0500
summary: Bug 645417, part 10 - Well-known symbols. r=terrence,r=efaust.
(The commit message had the wrong bug number, it should be bug 645416 instead)
Jason, hopefully this isn't waiting on anything for landing? (fwiw jsfunfuzz hits this)
Blocks: harmony:symbols
Flags: needinfo?(jorendorff)
Keywords: regression
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Assignee | |
Comment 7•10 years ago
|
||
Flags: needinfo?(jorendorff)
|
||
Comment 8•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in
before you can comment on or make changes to this bug.
Description
•