Closed Bug 382503 Opened 17 years ago Closed 17 years ago

"Assertion failure: (slot) < (uint32)(obj)->dslots[-1]" with prototype=regexp

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:critical?] fixed by bug 382532)

Attachments

(1 file)

js1_5/Object/regress-382503.js 17 years ago Bob Clary [:bc] (inactive) 2.19 KB, text/plain		Details

Jesse Ruderman

Reporter

Description

•

17 years ago

function f(x)
{
  prototype = /a/;

  if (x) {
    return /b/;
    return /c/;
  } else {
    return /d/;
  }
}

void f(false);


Triggers:
Assertion failure: (slot) < (uint32)(obj)->dslots[-1], at jsobj.c:4990

0   JS_Assert
1   js_SetRequiredSlot + 380 (jsobj.c:4990)
2   JS_SetReservedSlot + 188 (jsapi.c:4013)
3   js_Interpret + 66856 (jsinterp.c:4266)
4   js_Execute + 715 (jsinterp.c:1591)
5   JS_ExecuteScript + 54 (jsapi.c:4693)
6   Process + 912 (js.c:268)
7   ProcessArgs + 2045 (js.c:519)
8   main + 612 (js.c:3271)
9   _start + 216
10  start + 41

Jesse Ruderman

Reporter

Comment 1

•

17 years ago

Is this a memory safety bug?

Blake Kaplan (:mrbkap) (inactive)

Comment 2

•

17 years ago

Yeah, you'd probably get heap corruption in opt builds.

Jesse Ruderman

Reporter

Updated

•

17 years ago

Flags: blocking1.9?

Whiteboard: [sg:critical?]

Jesse Ruderman

Reporter

Comment 3

•

17 years ago

WFM.  mrbkap says this was fixed (and fixed properly) by bug 382532.

Status: NEW → RESOLVED

Closed: 17 years ago

Depends on: 382532

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Updated

•

17 years ago

Flags: wanted1.8.1.x+

Flags: wanted1.8.0.x+

Flags: blocking1.8.1.5+

Flags: blocking1.8.0.13+

Bob Clary [:bc] (inactive)

Comment 4

•

17 years ago

Attached file js1_5/Object/regress-382503.js — Details

Bob Clary [:bc] (inactive)

Updated

•

17 years ago

Flags: in-testsuite+

Daniel Veditz [:dveditz]

Updated

•

17 years ago

Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 382532

Jay Patel [:jay]

Comment 5

•

17 years ago

Marking fixed1.8.1.5 per bug 382532 landing.

Keywords: fixed1.8.1.5

Bob Clary [:bc] (inactive)

Comment 6

•

17 years ago

verified fixed 1.8.1, 1.9.0 windows/linux/macppc opt/debug browser/shell 7/16

Status: RESOLVED → VERIFIED

Keywords: fixed1.8.1.5 → verified1.8.1.5

Daniel Veditz [:dveditz]

Updated

•

17 years ago

Flags: blocking1.8.0.13+ → blocking1.8.0.14+

Daniel Veditz [:dveditz]

Updated

•

17 years ago

Group: security

Bob Clary [:bc] (inactive)

Comment 7

•

17 years ago

/cvsroot/mozilla/js/tests/js1_5/Object/regress-382503.js,v  <--  regress-382503.js
initial revision: 1.1

Daniel Veditz [:dveditz]

Comment 8

•

17 years ago

bug 382532 was fixed on both 1.8 branches

Flags: blocking1.8.0.14+

Keywords: fixed1.8.0.13

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

"Assertion failure: (slot) < (uint32)(obj)->dslots[-1]" with prototype=regexp

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:critical?] fixed by bug 382532)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Comment 3

Updated

Comment 4

Updated

Updated

Comment 5

Comment 6

Updated

Updated

Comment 7

Comment 8

Attachment

General

Description

File Name

Content Type