Closed Bug 355832 Opened 18 years ago Closed 18 years ago

"Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE" or null deref [@ js_FindProperty] with "let" that binds nothing

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: crash, testcase, verified1.8.1.1)

Crash Data

Attachments

(1 file)

debug: js> let ([] = []) { } Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE, at jsapi.c:2368 opt: js> let ([] = []) { print(3) } print(4) 3 Bus error (Btw, the code is similar to the code in bug 355635, but here we're running it instead of decompiling it.)
Summary: "Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE" with "let" that binds nothing → "Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE" or null deref [@ js_FindProperty] with "let" that binds nothing
This is one of the most common bugs the fuzzer in bug 349611 hits.
Attached patch fixSplinter Review
The test in JSOP_SETSP predates empty destructuring patterns, which we ECMA TG1ers agreed was desirable, late in the 1.8.1 cycle. Likewise the sp in range assertion in JSOP_LEAVEBLOCK{,EXPR}. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #245997 - Flags: review?(mrbkap)
Flags: blocking1.8.1.1?
Blocks: js1.7src
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Attachment #245997 - Flags: review?(mrbkap) → review+
Comment on attachment 245997 [details] [diff] [review] fix approved for 1.8 branch, a=dveditz for drivers
Attachment #245997 - Flags: approval1.8.1.1+
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Fixed on trunk: Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.304; previous revision: 3.303 done and in the 1.8 branch: Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.181.2.70; previous revision: 3.181.2.69 done /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1.1
Resolution: --- → FIXED
RCS file: /cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-01.js,v done Checking in regress-355832-01.js; /cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-01.js,v <-- regress-355832-01.js initial revision: 1.1 done RCS file: /cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-02.js,v done Checking in regress-355832-02.js; /cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-02.js,v <-- regress-355832-02.js initial revision: 1.1 done
Flags: in-testsuite+
verified fixed 1.8.1.1 windows/mac*/linux, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_FindProperty]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: