Closed
Bug 961741
Opened 11 years ago
Closed 11 years ago
GenerationalGC: Assertion failure: thing, at gc/Marking.cpp:127
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:ignore])
Attachments
(1 file)
|
(deleted),
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 4e671e3183c4 (run with --fuzzing-safe):
function r() {
for (var x in undefined) {}
}
setObjectMetadataCallback(true);
r();
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → jcoppeard
|
|
Assignee | |
Comment 1•11 years ago
|
||
The shape's parent can be null, so we just need to check this before we try marking it in the postbarrier callback.
Attachment #8365505 -
Flags: review?(terrence)
|
||
Comment 2•11 years ago
|
||
Comment on attachment 8365505 [details] [diff] [review]
shape-postbarrier-fuzzbug
Review of attachment 8365505 [details] [diff] [review]:
-----------------------------------------------------------------
Ah, makes sense. r=me
Attachment #8365505 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 3•11 years ago
|
||
|
||
Comment 4•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
You need to log in
before you can comment on or make changes to this bug.
Description
•