Closed
Bug 1133354
Opened 9 years ago
Closed 9 years ago
Assertion failure: (LookupAliasedNameSlot(bceOfDef, bceOfDef->script, pn->name(), &sc)), at frontend/BytecodeEmitter.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1140196
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
15.06 KB,
text/plain
|
Details |
for (var {
N, x: {
c: {
x: w = ((function(x) {
return {
n() {
(function() {
for (z in x) {}
})()
}
}
}))
}
}
} in w) {}
asserts js debug shell on m-c changeset 81f979b17fbd with --fuzzing-safe --no-threads --ion-eager at Assertion failure: (LookupAliasedNameSlot(bceOfDef, bceOfDef->script, pn->name(), &sc)), at frontend/BytecodeEmitter.cpp.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-optimize --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-central" -r 81f979b17fbd
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150121013236" and the hash "26d8f946a53b".
The "bad" changeset has the timestamp "20150121021935" and the hash "8832848bf234".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=26d8f946a53b&tochange=8832848bf234
Jason, is bug 932080 a likely regressor?Flags: needinfo?(jorendorff)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x303c3, 0x0000000100180b41 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitVarOp(js::ExclusiveContext*, js::frontend::ParseNode*, JSOp, js::frontend::BytecodeEmitter*) [inlined] EmitAliasedVarOp(cx=<unavailable>, pn=<unavailable>) + 657 at BytecodeEmitter.cpp:1365, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100180b41 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitVarOp(js::ExclusiveContext*, js::frontend::ParseNode*, JSOp, js::frontend::BytecodeEmitter*) [inlined] EmitAliasedVarOp(cx=<unavailable>, pn=<unavailable>) + 657 at BytecodeEmitter.cpp:1365
frame #1: 0x00000001001808b0 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitVarOp(cx=<unavailable>, pn=<unavailable>, op=JSOP_INITALIASEDLEXICAL, bce=<unavailable>) + 2704 at BytecodeEmitter.cpp:1421
frame #2: 0x000000010018a67e js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`EmitNameOp(cx=0x0000000101d16e20, bce=0x00007fff5fbfa8a8, pn=0x0000000102050d30, callContext=false) + 174 at BytecodeEmitter.cpp:2341
frame #3: 0x00000001001707d1 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`js::frontend::EmitTree(cx=<unavailable>, bce=<unavailable>, pn=<unavailable>) + 5217 at BytecodeEmitter.cpp:7260
frame #4: 0x0000000100173994 js-dbg-64-dm-nsprBuild-darwin-81f979b17fbd`js::frontend::EmitTree(js::ExclusiveContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) [inlined] EmitForIn(cx=<unavailable>, bce=<unavailable>, pn=0x0000000102050c88, top=<unavailable>) + 74 at BytecodeEmitter.cpp:5099
(lldb)
|
||
Updated•9 years ago
|
Group: core-security, javascript-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: javascript-core-security, core-security-release
Keywords: sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•