Last Comment Bug 356402 - "Assertion failure: slot < fp->nvars" or [@ js_Interpret]
: "Assertion failure: slot < fp->nvars" or [@ js_Interpret]
Status: VERIFIED FIXED
[sg:critical?]
: crash, testcase, verified1.8.0.9, verified1.8.1.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Brendan Eich [:brendan]
:
:
Mentors:
Depends on:
Blocks: jsfunfuzz js1.7src
  Show dependency treegraph
 
Reported: 2006-10-12 05:16 PDT by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
2 users (show)
dveditz: blocking1.8.1.1+
dveditz: blocking1.8.0.9+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
I hate the Script object (1.09 KB, patch)
2006-10-12 09:34 PDT, Brendan Eich [:brendan]
mrbkap: review+
mconnor: approval1.8.0.9+
mconnor: approval1.8.1.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-356402.js (2.32 KB, text/plain)
2006-10-13 04:33 PDT, Bob Clary [:bc:]
no flags Details
js1_5/Regress/regress-356402.js (2.09 KB, text/plain)
2006-10-13 07:50 PDT, Bob Clary [:bc:]
no flags Details

Description Jesse Ruderman 2006-10-12 05:16:31 PDT
js> (function() { new Script('for(var x in x) { }')(); })()

Debug:
  Assertion failure: slot < fp->nvars, at jsinterp.c:4629

Opt:
  Crash [@ js_Interpret] dereferencing an invalid address (e.g. 0x0320e238)
Comment 1 Brendan Eich [:brendan] 2006-10-12 09:34:31 PDT
Created attachment 242075 [details] [diff] [review]
I hate the Script object
Comment 2 Brendan Eich [:brendan] 2006-10-12 11:06:25 PDT
Fixed on trunk:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.257; previous revision: 3.256
done

/be
Comment 3 Bob Clary [:bc:] 2006-10-13 04:33:30 PDT
Created attachment 242166 [details]
js1_5/Regress/regress-356402.js

I couldn't reproduce the assert.
Comment 4 Jesse Ruderman 2006-10-13 07:29:14 PDT
bc, can you reproduce in the regression test framework if you remove the "(function() {" and "})()" around the interesting part?  When I test in the shell, I can reproduce when there is exactly one anonymous function wrapped around it, but not when there are two, so maybe the fact that it's inside test() acts like having an extra function wrapped around it.
Comment 5 Bob Clary [:bc:] 2006-10-13 07:50:34 PDT
Created attachment 242187 [details]
js1_5/Regress/regress-356402.js

Jesse: yes I can, thanks. I should have remembered to test it without the function wrapper as we have had other similar cases recently.

Brendan: Which is better for these tests? Do we need to have both situations where the test code is wrapped in a function and not wrapped? Would just having the non-wrapped version be sufficient? I wonder how many other "failures" are being hidden by the test function wrapping.
Comment 6 Brendan Eich [:brendan] 2006-10-13 09:28:45 PDT
One (function(){ ... })() vs. zero is a difference that needs to be tested.  Two vs. one vs. zero may also matter.

/be
Comment 7 Bob Clary [:bc:] 2006-10-15 02:39:02 PDT
verified fixed 1.9 20061014 windows/linux
Comment 8 Mike Connor [:mconnor] 2006-11-07 07:42:17 PST
Comment on attachment 242075 [details] [diff] [review]
I hate the Script object

a=mconnor on behalf of drivers for branch checkin for 1.8.0.9 and 1.8.1.1
Comment 9 Brendan Eich [:brendan] 2006-11-21 12:53:15 PST
Fixed on 1.8 branch:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.142.2.68; previous revision: 3.142.2.67
done

and on the 1.8.0 branch, with merging required:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.142.2.6.2.10; previous revision: 3.142.2.6.2.9
done

/be
Comment 10 Bob Clary [:bc:] 2006-11-23 01:44:47 PST
verified fixed 20061122 1.8.0.9 windows/linux/mac*, 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Comment 11 Bob Clary [:bc:] 2007-02-08 18:05:15 PST
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-356402.js,v  <--  regress-356402.js

Note You need to log in before you can comment on or make changes to this bug.