Closed
Bug 787709
Opened 12 years ago
Closed 12 years ago
Crash [@ js::ArrayBufferObject::removeFinalizedView] or "Assertion failure: linkObj,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox15 | --- | unaffected |
firefox16 | --- | unaffected |
firefox17 | - | unaffected |
firefox18 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: sfink)
References
Details
(5 keywords, Whiteboard: [jsbugmon:](fixed in bug 787775)[qa-])
Crash Data
Attachments
(2 files)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review |
for each(var x in DataView(eval("y = ArrayBuffer();"))) {};
function f() {
gc();
}
f();
asserts js debug shell on m-c changeset c64a9f342156 without any CLI arguments at Assertion failure: linkObj,
The testcase crashes js opt shell as well, at js::ArrayBufferObject::removeFinalizedView when pasted into the shell.
s-s because gc is involved and also because 0xa0 is being accessed.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 104015:804d74e217e3
user: Steve Fink
date: Thu Aug 23 21:29:42 2012 -0700
summary: Bug 720949 - Add JSAPI for transferring ArrayBuffer contents
Reporter | ||
Comment 1•12 years ago
|
||
I wonder why there was a tab-character in the testcase... Anyway here's an untabbed version:
for each(var x in DataView(eval("y = ArrayBuffer();"))) {};
function f() {
gc();
}
f();
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 2•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5f7e3a8d6640).
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Updated•12 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Comment 3•12 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 104414:22e9cbb8bb92
user: Steve Fink
date: Wed Sep 05 15:00:39 2012 -0700
summary: Bug 787775 - Register DataViews with their ArrayBuffers upon creation. r=luke
Comment 4•12 years ago
|
||
Steve, is this a dup of 787775? If so, can we add the testcase here to the test suite at least?
Assignee | ||
Comment 5•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #4)
> Steve, is this a dup of 787775? If so, can we add the testcase here to the
> test suite at least?
Yes, it is. I'll add something similar to the test suite. This works:
./js -e 'var ab = new ArrayBuffer(4); var dv = new DataView(ab); dv = 1; gc()'
(All you need to do is create a DataView on an ArrayBuffer, and gc the DataView without gcing the ArrayBuffer.)
Assignee | ||
Comment 6•12 years ago
|
||
I verified that this crashes before, does not crash after.
Assignee | ||
Updated•12 years ago
|
Assignee: general → sphink
Assignee | ||
Comment 7•12 years ago
|
||
Comment 8•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → DUPLICATE
Target Milestone: --- → mozilla18
Reporter | ||
Comment 9•12 years ago
|
||
Marking VERIFIED as testcase has landed in the testsuite.
Status: RESOLVED → VERIFIED
Comment 10•12 years ago
|
||
If this is a duplicate of 787775 and like that one a regression from bug 720949 then is Firefox 17 really "affected"? If so is it too late to uplift the patch in bug 787775 to Firefox 17 Beta?
tracking-firefox17:
--- → ?
tracking-firefox18:
--- → +
Whiteboard: [jsbugmon:] → [jsbugmon:][sg:dupe 787775]
Comment 11•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #10)
> If this is a duplicate of 787775 and like that one a regression from bug
> 720949 then is Firefox 17 really "affected"? If so is it too late to uplift
> the patch in bug 787775 to Firefox 17 Beta?
It doesn't look like Firefox 17 could be affected here since both bug 787775 and 720949 appear to only affect 18. Minusing for tracking unless someone has a different read on this.
Assignee | ||
Comment 12•12 years ago
|
||
That is correct; 17 is not affected.
Comment 13•12 years ago
|
||
Since the bug this was dupe'd to was not a security bug I'd rather mark this issue "fixed" and "depends on" the dupe.
Doesn't need to remain hidden because it never even made it as far as Beta releases.
Group: core-security
status-firefox-esr17:
--- → unaffected
Depends on: 787775
Resolution: DUPLICATE → FIXED
Whiteboard: [jsbugmon:][sg:dupe 787775] → [jsbugmon:](fixed in bug 787775)
Comment 14•12 years ago
|
||
Marking as qa- per comment 9.
Whiteboard: [jsbugmon:](fixed in bug 787775) → [jsbugmon:](fixed in bug 787775)[qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•