Closed
Bug 382503
Opened 17 years ago
Closed 17 years ago
"Assertion failure: (slot) < (uint32)(obj)->dslots[-1]" with prototype=regexp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:critical?] fixed by bug 382532)
Attachments
(1 file)
2.19 KB,
text/plain
|
Details |
function f(x) { prototype = /a/; if (x) { return /b/; return /c/; } else { return /d/; } } void f(false); Triggers: Assertion failure: (slot) < (uint32)(obj)->dslots[-1], at jsobj.c:4990 0 JS_Assert 1 js_SetRequiredSlot + 380 (jsobj.c:4990) 2 JS_SetReservedSlot + 188 (jsapi.c:4013) 3 js_Interpret + 66856 (jsinterp.c:4266) 4 js_Execute + 715 (jsinterp.c:1591) 5 JS_ExecuteScript + 54 (jsapi.c:4693) 6 Process + 912 (js.c:268) 7 ProcessArgs + 2045 (js.c:519) 8 main + 612 (js.c:3271) 9 _start + 216 10 start + 41
Reporter | ||
Comment 1•17 years ago
|
||
Is this a memory safety bug?
Comment 2•17 years ago
|
||
Yeah, you'd probably get heap corruption in opt builds.
Reporter | ||
Updated•17 years ago
|
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Reporter | ||
Comment 3•17 years ago
|
||
WFM. mrbkap says this was fixed (and fixed properly) by bug 382532.
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13+
Comment 4•17 years ago
|
||
Updated•17 years ago
|
Flags: in-testsuite+
Updated•17 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 382532
Comment 6•17 years ago
|
||
verified fixed 1.8.1, 1.9.0 windows/linux/macppc opt/debug browser/shell 7/16
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.5 → verified1.8.1.5
Updated•17 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Updated•17 years ago
|
Group: security
Comment 7•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Object/regress-382503.js,v <-- regress-382503.js initial revision: 1.1
Comment 8•17 years ago
|
||
bug 382532 was fixed on both 1.8 branches
Flags: blocking1.8.0.14+
Keywords: fixed1.8.0.13
You need to log in
before you can comment on or make changes to this bug.
Description
•