The default bug view has changed. See this FAQ.

"Assertion failure: slot < fp->nvars" or [@ js_Interpret]

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: brendan)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9alpha1
crash, testcase, verified1.8.0.9, verified1.8.1.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.1 +
blocking1.8.0.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
js> (function() { new Script('for(var x in x) { }')(); })()

Debug:
  Assertion failure: slot < fp->nvars, at jsinterp.c:4629

Opt:
  Crash [@ js_Interpret] dereferencing an invalid address (e.g. 0x0320e238)
Whiteboard: [sg:critical?]
(Assignee)

Comment 1

11 years ago
Created attachment 242075 [details] [diff] [review]
I hate the Script object
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #242075 - Flags: review?(mrbkap)
(Assignee)

Updated

11 years ago
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha

Updated

11 years ago
Attachment #242075 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 2

11 years ago
Fixed on trunk:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.257; previous revision: 3.256
done

/be
Blocks: 355044
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Flags: blocking1.8.1.1?
Resolution: --- → FIXED
(Assignee)

Updated

11 years ago
Attachment #242075 - Flags: approval1.8.1.1?
Attachment #242075 - Flags: approval1.8.0.9?
(Assignee)

Updated

11 years ago
Flags: blocking1.8.0.9?

Comment 3

11 years ago
Created attachment 242166 [details]
js1_5/Regress/regress-356402.js

I couldn't reproduce the assert.

Updated

11 years ago
Flags: in-testsuite+
(Reporter)

Comment 4

11 years ago
bc, can you reproduce in the regression test framework if you remove the "(function() {" and "})()" around the interesting part?  When I test in the shell, I can reproduce when there is exactly one anonymous function wrapped around it, but not when there are two, so maybe the fact that it's inside test() acts like having an extra function wrapped around it.

Comment 5

11 years ago
Created attachment 242187 [details]
js1_5/Regress/regress-356402.js

Jesse: yes I can, thanks. I should have remembered to test it without the function wrapper as we have had other similar cases recently.

Brendan: Which is better for these tests? Do we need to have both situations where the test code is wrapped in a function and not wrapped? Would just having the non-wrapped version be sufficient? I wonder how many other "failures" are being hidden by the test function wrapping.
Attachment #242166 - Attachment is obsolete: true
(Assignee)

Comment 6

11 years ago
One (function(){ ... })() vs. zero is a difference that needs to be tested.  Two vs. one vs. zero may also matter.

/be

Comment 7

11 years ago
verified fixed 1.9 20061014 windows/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Comment on attachment 242075 [details] [diff] [review]
I hate the Script object

a=mconnor on behalf of drivers for branch checkin for 1.8.0.9 and 1.8.1.1
Attachment #242075 - Flags: approval1.8.1.1?
Attachment #242075 - Flags: approval1.8.1.1+
Attachment #242075 - Flags: approval1.8.0.9?
Attachment #242075 - Flags: approval1.8.0.9+
(Assignee)

Comment 9

11 years ago
Fixed on 1.8 branch:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.142.2.68; previous revision: 3.142.2.67
done

and on the 1.8.0 branch, with merging required:

Checking in jsparse.c;
/cvsroot/mozilla/js/src/jsparse.c,v  <--  jsparse.c
new revision: 3.142.2.6.2.10; previous revision: 3.142.2.6.2.9
done

/be
Keywords: fixed1.8.0.9, fixed1.8.1.1

Comment 10

11 years ago
verified fixed 20061122 1.8.0.9 windows/linux/mac*, 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Keywords: fixed1.8.0.9, fixed1.8.1.1 → verified1.8.0.9, verified1.8.1.1
Group: security

Comment 11

10 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-356402.js,v  <--  regress-356402.js
(Reporter)

Updated

10 years ago
No longer blocks: 349611
(Reporter)

Updated

10 years ago
Blocks: 349611
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.