Closed Bug 352797 Opened 13 years ago Closed 13 years ago

"Assertion failure: OBJ_GET_CLASS(cx, obj) == &js_BlockClass" with xml filtering predicate operator, eval.call, let

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, verified1.8.1.1)

Attachments

(1 file)

fix
2.53 KB, patch
mrbkap
: review+
dveditz
: approval1.8.1.1+
Details | Diff | Splinter Review 
js> (function() { let (x = eval.call(<x/>.(1), "")) {} })()     
Assertion failure: OBJ_GET_CLASS(cx, obj) == &js_BlockClass, at jsinterp.c:6024
Seems like a null deref in opt builds.
js> (function(){let x = 'fafafa'.replace(/a/g, new Script(''))})()
Assertion failure: OBJ_GET_CLASS(cx, obj) == &js_BlockClass, at jsinterp.c:5835
Flags: blocking1.8.1.1?
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Attached patch fixSplinter Review 
We really should have seen this when hacking js_GetScopeChain.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #241748 - Flags: review?(mrbkap)
Blocks: js1.7src
Attachment #241748 - Flags: review?(mrbkap) → review+
Fixed on trunk:

Checking in jsfun.c;
/cvsroot/mozilla/js/src/jsfun.c,v  <--  jsfun.c
new revision: 3.168; previous revision: 3.167
done
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.298; previous revision: 3.297
done

/be
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Attachment #241748 - Flags: approval1.8.1.1?
Depends on: 356250
The fix introduced bug 356250.

/be
Blocks: 356250
No longer depends on: 356250
RCS file: /cvsroot/mozilla/js/tests/js1_7/regress/regress-352797-01.js,v
done
Checking in regress-352797-01.js;
/cvsroot/mozilla/js/tests/js1_7/regress/regress-352797-01.js,v  <--  regress-352797-01.js
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/js/tests/js1_7/regress/regress-352797-02.js,v
done
Checking in regress-352797-02.js;
/cvsroot/mozilla/js/tests/js1_7/regress/regress-352797-02.js,v  <--  regress-352797-02.js
initial revision: 1.1
done
Flags: in-testsuite+
verified fixed 1.9 20061012 windows/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Comment on attachment 241748 [details] [diff] [review]
fix

approved for 1.8 branch, a=dveditz for drivers
Attachment #241748 - Flags: approval1.8.1.1? → approval1.8.1.1+
Fixed on the 1.8 branch:

Checking in jsfun.c;
/cvsroot/mozilla/js/src/jsfun.c,v  <--  jsfun.c
new revision: 3.117.2.26; previous revision: 3.117.2.25
done
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.72; previous revision: 3.181.2.71
done

(along with the followup fix for bug 356250).

/be
Keywords: fixed1.8.1.1
verified fixed 20061122 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.1.1verified1.8.1.1
No longer blocks: 349611
Blocks: 349611
catch the indirect eval exception on trunk

/cvsroot/mozilla/js/tests/js1_7/regress/regress-352797-02.js,v  <--  regress-352797-02.js
new revision: 1.3; previous revision: 1.2
You need to log in before you can comment on or make changes to this bug.