Crash [@ js_Interpret]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
9 years ago
7 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

unspecified
x86
Mac OS X
assertion, crash, testcase
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
Created attachment 334814 [details]
crash log

for (var x = 0; x < 3; ++x) { let([] = []) ((function(){for(let y in []);})()); }

This crashes 1.8 branch js shell at almost null, at js_Interpret. It also asserts at Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE, at jsapi.c:2297

For this to occur, the for loop at the front must be present or else the shell works as expected, see console output below.

The testcase works as expected in 1.9.0.x js shell.


Console output:

$ ./js-moz181-intelmac-debug -v 170
js> let([] = [,,]) ((function(){for(let y in []);})());
js> for (var x = 0; x < 3; ++x) { let([] = []) ((function(){for(let y in []);})()); }
Assertion failure: OBJ_GET_CLASS(cx, obj)->flags & JSCLASS_HAS_PRIVATE, at jsapi.c:2297
Trace/BPT trap

$ ./js-moz181-intelmac -v 170
js> let([] = [,,]) ((function(){for(let y in []);})());
js> for (var x = 0; x < 3; ++x) { let([] = []) ((function(){for(let y in []);})()); }
Bus error

$ ./js-moz190-intelmac
js> for (var x = 0; x < 3; ++x) { let([] = []) ((function(){for(let y in []);})()); }
js> 

$ ./js-moz190-intelmac-debug 
js> for (var x = 0; x < 3; ++x) { let([] = []) ((function(){for(let y in []);})()); }
js>
(Reporter)

Comment 1

9 years ago
This crash makes up most of the crashing testcases when jsfunfuzz-ing 1.8.1.x, which it hits frequently.
Flags: wanted1.8.1.x?
(Reporter)

Comment 2

9 years ago
A variant asserts at:

Assertion failure: OBJ_GET_CLASS(cx, obj) == &js_BlockClass, at jsinterp.c:

and still crashes at the location in opt 1.8.1.x.
(Reporter)

Comment 3

9 years ago
WFM on trunk, resolving WFM which should be a better resolution.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: wanted1.8.1.x? → in-testsuite?
Resolution: --- → WORKSFORME
Summary: [1.8 branch] Crash [@ js_Interpret] → Crash [@ js_Interpret]
Version: 1.8 Branch → unspecified
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.