Closed Bug 382503 Opened 14 years ago Closed 14 years ago

"Assertion failure: (slot) < (uint32)(obj)->dslots[-1]" with prototype=regexp

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:critical?] fixed by bug 382532)

Attachments

(1 file)

function f(x)
{
  prototype = /a/;

  if (x) {
    return /b/;
    return /c/;
  } else {
    return /d/;
  }
}

void f(false);


Triggers:
Assertion failure: (slot) < (uint32)(obj)->dslots[-1], at jsobj.c:4990

0   JS_Assert
1   js_SetRequiredSlot + 380 (jsobj.c:4990)
2   JS_SetReservedSlot + 188 (jsapi.c:4013)
3   js_Interpret + 66856 (jsinterp.c:4266)
4   js_Execute + 715 (jsinterp.c:1591)
5   JS_ExecuteScript + 54 (jsapi.c:4693)
6   Process + 912 (js.c:268)
7   ProcessArgs + 2045 (js.c:519)
8   main + 612 (js.c:3271)
9   _start + 216
10  start + 41
Is this a memory safety bug?
Yeah, you'd probably get heap corruption in opt builds.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
WFM.  mrbkap says this was fixed (and fixed properly) by bug 382532.
Status: NEW → RESOLVED
Closed: 14 years ago
Depends on: 382532
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13+
Flags: in-testsuite+
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 382532
Marking fixed1.8.1.5 per bug 382532 landing.
Keywords: fixed1.8.1.5
verified fixed 1.8.1, 1.9.0 windows/linux/macppc opt/debug browser/shell 7/16
Status: RESOLVED → VERIFIED
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Group: security
/cvsroot/mozilla/js/tests/js1_5/Object/regress-382503.js,v  <--  regress-382503.js
initial revision: 1.1
bug 382532 was fixed on both 1.8 branches
Flags: blocking1.8.0.14+
Keywords: fixed1.8.0.13
You need to log in before you can comment on or make changes to this bug.