Closed Bug 382503 Opened 18 years ago Closed 18 years ago

"Assertion failure: (slot) < (uint32)(obj)->dslots[-1]" with prototype=regexp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:critical?] fixed by bug 382532)

Attachments

(1 file)

js1_5/Object/regress-382503.js
2.19 KB, text/plain
Details
function f(x) { prototype = /a/; if (x) { return /b/; return /c/; } else { return /d/; } } void f(false); Triggers: Assertion failure: (slot) < (uint32)(obj)->dslots[-1], at jsobj.c:4990 0 JS_Assert 1 js_SetRequiredSlot + 380 (jsobj.c:4990) 2 JS_SetReservedSlot + 188 (jsapi.c:4013) 3 js_Interpret + 66856 (jsinterp.c:4266) 4 js_Execute + 715 (jsinterp.c:1591) 5 JS_ExecuteScript + 54 (jsapi.c:4693) 6 Process + 912 (js.c:268) 7 ProcessArgs + 2045 (js.c:519) 8 main + 612 (js.c:3271) 9 _start + 216 10 start + 41
Is this a memory safety bug?
Yeah, you'd probably get heap corruption in opt builds.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
WFM. mrbkap says this was fixed (and fixed properly) by bug 382532.
Status: NEW → RESOLVED
Closed: 18 years ago
Depends on: 382532
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13+
Flags: in-testsuite+
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 382532
Marking fixed1.8.1.5 per bug 382532 landing.
Keywords: fixed1.8.1.5
verified fixed 1.8.1, 1.9.0 windows/linux/macppc opt/debug browser/shell 7/16
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.5verified1.8.1.5
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Group: security
/cvsroot/mozilla/js/tests/js1_5/Object/regress-382503.js,v <-- regress-382503.js initial revision: 1.1
bug 382532 was fixed on both 1.8 branches
Flags: blocking1.8.0.14+
Keywords: fixed1.8.0.13
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: