Closed Bug 356402 Opened 18 years ago Closed 18 years ago

"Assertion failure: slot < fp->nvars" or [@ js_Interpret]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files, 1 obsolete file)

I hate the Script object
1.09 KB, patch
mrbkap
: review+
mconnor
: approval1.8.0.9+
mconnor
: approval1.8.1.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-356402.js
2.09 KB, text/plain
Details 
js> (function() { new Script('for(var x in x) { }')(); })()

Debug:
  Assertion failure: slot < fp->nvars, at jsinterp.c:4629

Opt:
  Crash [@ js_Interpret] dereferencing an invalid address (e.g. 0x0320e238)
Whiteboard: [sg:critical?]
Assignee: general → brendan
Status: NEW → ASSIGNED

        Attachment #242075 -
        Flags: review?(mrbkap)

    
  
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha

        Attachment #242075 -
        Flags: review?(mrbkap) → review+

    
    

    
  
Fixed on trunk:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.257; previous revision: 3.256
done

/be
Blocks: js1.7src
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1.1?
Resolution: --- → FIXED

    
  

        Attachment #242075 -
        Flags: approval1.8.1.1?

        Attachment #242075 -
        Flags: approval1.8.0.9?

    
  
Flags: blocking1.8.0.9?

    
    

    
  

      
      
      
      

        Attached file
          
        js1_5/Regress/regress-356402.js (obsolete)
        — 
      

    


  
I couldn't reproduce the assert.
Flags: in-testsuite+

    
    

    
  
bc, can you reproduce in the regression test framework if you remove the "(function() {" and "})()" around the interesting part?  When I test in the shell, I can reproduce when there is exactly one anonymous function wrapped around it, but not when there are two, so maybe the fact that it's inside test() acts like having an extra function wrapped around it.

    
    

    
  


  
Jesse: yes I can, thanks. I should have remembered to test it without the function wrapper as we have had other similar cases recently.

Brendan: Which is better for these tests? Do we need to have both situations where the test code is wrapped in a function and not wrapped? Would just having the non-wrapped version be sufficient? I wonder how many other "failures" are being hidden by the test function wrapping.

        Attachment #242166 -
        Attachment is obsolete: true

    
    

    
  
One (function(){ ... })() vs. zero is a difference that needs to be tested.  Two vs. one vs. zero may also matter.

/be

    
    

    
  
verified fixed 1.9 20061014 windows/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+

    
    

    
  
Comment on attachment 242075 [details] [diff] [review]
I hate the Script object

a=mconnor on behalf of drivers for branch checkin for 1.8.0.9 and 1.8.1.1

        Attachment #242075 -
        Flags: approval1.8.1.1?

        Attachment #242075 -
        Flags: approval1.8.1.1+

        Attachment #242075 -
        Flags: approval1.8.0.9?

        Attachment #242075 -
        Flags: approval1.8.0.9+

    
    

    
  
Fixed on 1.8 branch:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.142.2.68; previous revision: 3.142.2.67
done

and on the 1.8.0 branch, with merging required:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.142.2.6.2.10; previous revision: 3.142.2.6.2.9
done

/be
Keywords: fixed1.8.0.9, 
          
            fixed1.8.1.1

    
    

    
  
verified fixed 20061122 1.8.0.9 windows/linux/mac*, 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.0.9, 
          
            fixed1.8.1.1verified1.8.0.9, 
          
            verified1.8.1.1
Group: security

    
    

    
  
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-356402.js,v  <--  regress-356402.js

Crash Signature: [@ js_Interpret]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: