Closed Bug 356402 Opened 18 years ago Closed 18 years ago

"Assertion failure: slot < fp->nvars" or [@ js_Interpret]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files, 1 obsolete file)

I hate the Script object
1.09 KB, patch
mrbkap
: review+
mconnor
: approval1.8.0.9+
mconnor
: approval1.8.1.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-356402.js
2.09 KB, text/plain
Details
js> (function() { new Script('for(var x in x) { }')(); })() Debug: Assertion failure: slot < fp->nvars, at jsinterp.c:4629 Opt: Crash [@ js_Interpret] dereferencing an invalid address (e.g. 0x0320e238)
Whiteboard: [sg:critical?]
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #242075 - Flags: review?(mrbkap)
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Attachment #242075 - Flags: review?(mrbkap) → review+
Fixed on trunk: Checking in jsparse.c; /cvsroot/mozilla/js/src/jsparse.c,v <-- jsparse.c new revision: 3.257; previous revision: 3.256 done /be
Blocks: js1.7src
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1.1?
Resolution: --- → FIXED
Attachment #242075 - Flags: approval1.8.1.1?
Attachment #242075 - Flags: approval1.8.0.9?
Flags: blocking1.8.0.9?
Attached file js1_5/Regress/regress-356402.js (obsolete) —
I couldn't reproduce the assert.
Flags: in-testsuite+
bc, can you reproduce in the regression test framework if you remove the "(function() {" and "})()" around the interesting part? When I test in the shell, I can reproduce when there is exactly one anonymous function wrapped around it, but not when there are two, so maybe the fact that it's inside test() acts like having an extra function wrapped around it.
Jesse: yes I can, thanks. I should have remembered to test it without the function wrapper as we have had other similar cases recently. Brendan: Which is better for these tests? Do we need to have both situations where the test code is wrapped in a function and not wrapped? Would just having the non-wrapped version be sufficient? I wonder how many other "failures" are being hidden by the test function wrapping.
Attachment #242166 - Attachment is obsolete: true
One (function(){ ... })() vs. zero is a difference that needs to be tested. Two vs. one vs. zero may also matter. /be
verified fixed 1.9 20061014 windows/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Comment on attachment 242075 [details] [diff] [review] I hate the Script object a=mconnor on behalf of drivers for branch checkin for 1.8.0.9 and 1.8.1.1
Attachment #242075 - Flags: approval1.8.1.1?
Attachment #242075 - Flags: approval1.8.1.1+
Attachment #242075 - Flags: approval1.8.0.9?
Attachment #242075 - Flags: approval1.8.0.9+
Fixed on 1.8 branch: Checking in jsparse.c; /cvsroot/mozilla/js/src/jsparse.c,v <-- jsparse.c new revision: 3.142.2.68; previous revision: 3.142.2.67 done and on the 1.8.0 branch, with merging required: Checking in jsparse.c; /cvsroot/mozilla/js/src/jsparse.c,v <-- jsparse.c new revision: 3.142.2.6.2.10; previous revision: 3.142.2.6.2.9 done /be
Keywords: fixed1.8.0.9, fixed1.8.1.1
verified fixed 20061122 1.8.0.9 windows/linux/mac*, 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.0.9, fixed1.8.1.1verified1.8.0.9, verified1.8.1.1
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-356402.js,v <-- regress-356402.js
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: