"Assertion failure: (slot) < (uint32)(obj)->dslots[-1]" with prototype=regexp

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
10 years ago
10 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, fixed1.8.0.13, testcase, verified1.8.1.5
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 ?
blocking1.8.1.5 +
wanted1.8.1.x +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] fixed by bug 382532)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
function f(x)
{
  prototype = /a/;

  if (x) {
    return /b/;
    return /c/;
  } else {
    return /d/;
  }
}

void f(false);


Triggers:
Assertion failure: (slot) < (uint32)(obj)->dslots[-1], at jsobj.c:4990

0   JS_Assert
1   js_SetRequiredSlot + 380 (jsobj.c:4990)
2   JS_SetReservedSlot + 188 (jsapi.c:4013)
3   js_Interpret + 66856 (jsinterp.c:4266)
4   js_Execute + 715 (jsinterp.c:1591)
5   JS_ExecuteScript + 54 (jsapi.c:4693)
6   Process + 912 (js.c:268)
7   ProcessArgs + 2045 (js.c:519)
8   main + 612 (js.c:3271)
9   _start + 216
10  start + 41
(Reporter)

Comment 1

10 years ago
Is this a memory safety bug?
Yeah, you'd probably get heap corruption in opt builds.
(Reporter)

Updated

10 years ago
Flags: blocking1.9?
Whiteboard: [sg:critical?]
(Reporter)

Comment 3

10 years ago
WFM.  mrbkap says this was fixed (and fixed properly) by bug 382532.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Depends on: 382532
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13+

Comment 4

10 years ago
Created attachment 268522 [details]
js1_5/Object/regress-382503.js

Updated

10 years ago
Flags: in-testsuite+
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 382532

Comment 5

10 years ago
Marking fixed1.8.1.5 per bug 382532 landing.
Keywords: fixed1.8.1.5

Comment 6

10 years ago
verified fixed 1.8.1, 1.9.0 windows/linux/macppc opt/debug browser/shell 7/16
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.5 → verified1.8.1.5
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Group: security

Comment 7

10 years ago
/cvsroot/mozilla/js/tests/js1_5/Object/regress-382503.js,v  <--  regress-382503.js
initial revision: 1.1
bug 382532 was fixed on both 1.8 branches
Flags: blocking1.8.0.14+
Keywords: fixed1.8.0.13
You need to log in before you can comment on or make changes to this bug.