Closed
Bug 434906
Opened 16 years ago
Closed 16 years ago
[1.8 branch] Crash [@ js_Interpret] or [@ js_FindProperty]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: gkw, Unassigned)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
for (x = 0; x < 3; ++x) let([] = []) (function(){});
crashes js 1.8 branch shell at js_FindProperty at null, and triggers the following assertion:
Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE, at jsapi.c:2293
===
A slight variation of that line,
for(let x in [0,0,0,0]) let([]=[]) (function(){});
crashes js 1.8 branch shell at js_Interpret at (almost) null and triggers the following assertion:
Assertion failure: op == JSOP_LEAVEBLOCKEXPR ? fp->spbase + OBJ_BLOCK_DEPTH(cx, obj) == sp - 1 : fp->spbase + OBJ_BLOCK_DEPTH(cx, obj) == sp, at jsinterp.c:5894
|
Reporter | |
Comment 1•16 years ago
|
||
|
|
Reporter | |
Comment 2•16 years ago
|
||
Jesse Ruderman helped to reduce the above testcases. Not sure if I should nominate since they crash at null or almost null.
|
|
Reporter | |
Updated•16 years ago
|
Summary: Crash [@ js_Interpret] or [@ js_FindProperty] → [1.8 branch] Crash [@ js_Interpret] or [@ js_FindProperty]
|
|
Reporter | |
Comment 3•16 years ago
|
||
Now both testcases WORKSFORME. Resolving as appropriate.
Sample console output:
$ ./js-moz181-intelmac
js> for (x = 0; x < 3; ++x) let([] = []) (function(){});
typein:1: ReferenceError: let is not defined
js> for(let x in [0,0,0,0]) let([]=[]) (function(){});
typein:2: SyntaxError: missing ; after for-loop initializer:
typein:2: for(let x in [0,0,0,0]) let([]=[]) (function(){});
typein:2: ........^
js>Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite?
|
||
Updated•13 years ago
|
Crash Signature: [@ js_Interpret]
[@ js_FindProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•