Closed
Bug 1133354
Opened 9 years ago
Closed 9 years ago
Assertion failure: (LookupAliasedNameSlot(bceOfDef, bceOfDef->script, pn->name(), &sc)), at frontend/BytecodeEmitter.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1140196
Tracking | Status | |
---|---|---|
firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
15.06 KB,
text/plain
|
Details |
for (var { N, x: { c: { x: w = ((function(x) { return { n() { (function() { for (z in x) {} })() } } })) } } } in w) {} asserts js debug shell on m-c changeset 81f979b17fbd with --fuzzing-safe --no-threads --ion-eager at Assertion failure: (LookupAliasedNameSlot(bceOfDef, bceOfDef->script, pn->name(), &sc)), at frontend/BytecodeEmitter.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-optimize --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-central" -r 81f979b17fbd === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b". The "bad" changeset has the timestamp "20150121021935" and the hash "8832848bf234". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=26d8f946a53b&tochange=8832848bf234 Jason, is bug 932080 a likely regressor?
Flags: needinfo?(jorendorff)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x303c3, 0x0000000100180b41 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitVarOp(js::ExclusiveContext*, js::frontend::ParseNode*, JSOp, js::frontend::BytecodeEmitter*) [inlined] EmitAliasedVarOp(cx=<unavailable>, pn=<unavailable>) + 657 at BytecodeEmitter.cpp:1365, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100180b41 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitVarOp(js::ExclusiveContext*, js::frontend::ParseNode*, JSOp, js::frontend::BytecodeEmitter*) [inlined] EmitAliasedVarOp(cx=<unavailable>, pn=<unavailable>) + 657 at BytecodeEmitter.cpp:1365 frame #1: 0x00000001001808b0 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitVarOp(cx=<unavailable>, pn=<unavailable>, op=JSOP_INITALIASEDLEXICAL, bce=<unavailable>) + 2704 at BytecodeEmitter.cpp:1421 frame #2: 0x000000010018a67e js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitNameOp(cx=0x0000000101d16e20, bce=0x00007fff5fbfa8a8, pn=0x0000000102050d30, callContext=false) + 174 at BytecodeEmitter.cpp:2341 frame #3: 0x00000001001707d1 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`js::frontend::EmitTree(cx=<unavailable>, bce=<unavailable>, pn=<unavailable>) + 5217 at BytecodeEmitter.cpp:7260 frame #4: 0x0000000100173994 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`js::frontend::EmitTree(js::ExclusiveContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) [inlined] EmitForIn(cx=<unavailable>, bce=<unavailable>, pn=0x0000000102050c88, top=<unavailable>) + 74 at BytecodeEmitter.cpp:5099 (lldb)
Updated•9 years ago
|
Group: core-security, javascript-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: javascript-core-security, core-security-release
Keywords: sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•