Closed Bug 355832 Opened 17 years ago Closed 17 years ago

"Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE" or null deref [@ js_FindProperty] with "let" that binds nothing

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: crash, testcase, verified1.8.1.1)

Crash Data

Attachments

(1 file)

fix
1.99 KB, patch
mrbkap
: review+
dveditz
: approval1.8.1.1+
Details | Diff | Splinter Review 
debug:
js> let ([] = []) { }
Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE, at jsapi.c:2368

opt:
js> let ([] = []) { print(3) } print(4)
3
Bus error

(Btw, the code is similar to the code in bug 355635, but here we're running it instead of decompiling it.)
Summary: "Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE" with "let" that binds nothing → "Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE" or null deref [@ js_FindProperty] with "let" that binds nothing
This is one of the most common bugs the fuzzer in bug 349611 hits.
Attached patch fixSplinter Review 
The test in JSOP_SETSP predates empty destructuring patterns, which we ECMA TG1ers agreed was desirable, late in the 1.8.1 cycle.  Likewise the sp in range assertion in JSOP_LEAVEBLOCK{,EXPR}.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #245997 - Flags: review?(mrbkap)
Flags: blocking1.8.1.1?
Blocks: js1.7src
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Attachment #245997 - Flags: review?(mrbkap) → review+
Comment on attachment 245997 [details] [diff] [review]
fix

approved for 1.8 branch, a=dveditz for drivers
Attachment #245997 - Flags: approval1.8.1.1+
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Fixed on trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.304; previous revision: 3.303
done

and in the 1.8 branch:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.70; previous revision: 3.181.2.69
done

/be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.1
Resolution: --- → FIXED
RCS file: /cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-01.js,v
done
Checking in regress-355832-01.js;
/cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-01.js,v  <--  regress-355832-01.js
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-02.js,v
done
Checking in regress-355832-02.js;
/cvsroot/mozilla/js/tests/js1_7/regress/regress-355832-02.js,v  <--  regress-355832-02.js
initial revision: 1.1
done
Flags: in-testsuite+
verified fixed 1.8.1.1 windows/mac*/linux, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.1verified1.8.1.1
Crash Signature: [@ js_FindProperty]
You need to log in before you can comment on or make changes to this bug.