Closed
Bug 352372
Opened 18 years ago
Closed 18 years ago
More ways to hit the assertion in js_PeekTokenSameLine from CheckGetterOrSetter
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: crash, testcase, verified1.8.1)
Attachments
(1 file)
|
1002 bytes,
patch
|
mrbkap
:
review+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
These all cause an assertion:
eval("setter/*\n*/;")
eval("setter/*\n*/g")
eval("setter/*\n*/ ;")
eval("setter/*\n*/ g")
Assertion failure: ts->lookahead == 0 || (ts->flags & TSF_ERROR) || ON_CURRENT_LINE(ts, CURRENT_TOKEN(ts).pos) || (tt = ts->tokens[(ts->cursor+ts->lookahead) & NTOKENS_MASK].type, tt == TOK_EOL || tt == TOK_EOF), at jsscan.c:1018
I guess the fixes in bug 352208 weren't enough.
|
Assignee | |
Comment 1•18 years ago
|
||
You're right, that was a bogus assertion. js_PeekTokenSameLine must return TOK_EOL if the stream's lineno is ahead of the current token's ending lineno. The "Same" in the function name means that the token we are peeking at must be on the same line as the current token. The recent variations that botched the assertion all involved commented newlines. Since commented newlines are not tokenized, but ts->lineno advances as the commented newline is scanned, we have to return a token type other than the wanted one. We must not buffer the type in ts->tokens, but we need to return something that can't be on the same line. TOK_EOL suffices. /be
|
|
Assignee | |
Updated•18 years ago
|
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
|
||
Updated•18 years ago
|
Attachment #238012 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 2•18 years ago
|
||
Fixed on trunk. /be
|
|
Assignee | |
Comment 3•18 years ago
|
||
Comment on attachment 238012 [details] [diff] [review] fix This is a safe patch to replace a bogus assertion with a test for whether the scanner has moved on to a higher line number from the one in the current token. This helps Jesse's fuzzer avoid asserting. It avoids peeking at another line's token when the caller wants only tokens from the current line (this happens when a comment hides a newline). For the 1.8 branch, it should be safe to simply remove the assertion. The fact that the scanner is on a successor line to the line containing the current token means that someone already peeked, so the js_PeekToken should not scan further ahead, but simply find the buffered token. However, js_PeekTokenSameLine will then return as if that token were on the same line as the current token, when it's not. So I think it's simpler and safer to take the whole patch for 1.8.1. /be
Attachment #238012 -
Flags: approval1.8.1?
|
||
Comment 4•18 years ago
|
||
Comment on attachment 238012 [details] [diff] [review] fix a=schrep for js crash fix.
Attachment #238012 -
Flags: approval1.8.1? → approval1.8.1+
|
|
Assignee | |
Comment 5•18 years ago
|
||
Fixed on the 1.8 branch. /be
|
||
Comment 6•18 years ago
|
||
Checking in regress-352372.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-352372.js,v <-- regress-352372.js initial revision: 1.1 done
Flags: in-testsuite+
|
|
||
Comment 7•18 years ago
|
||
verified fixed 1.8 20060914 windows/linux 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•