Closed
Bug 460886
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: end >= begin" with .substring()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: assertion, testcase, verified1.9.1, Whiteboard: [sg:critical?])
Attachments
(3 files, 1 obsolete file)
js -j
js> for (var j = 0; j < 5; ++j) { "".substring(5); }
Assertion failure: end >= begin, at jsstr.cpp:796
js -j
for (var j = 0; j < 5; ++j) { "".substring(-60000); }
Crash [@ js_NewStringCopy] with the invalid memory address being some function of the number in the testcase.
|
Reporter | |
Updated•16 years ago
|
Flags: blocking1.9.1?
Whiteboard: [sg:critical?]
|
Assignee | |
Comment 1•16 years ago
|
||
Ewww. That swap at the end of SubstringTail is really ugly.
|
||
Comment 2•16 years ago
|
||
Comment on attachment 344003 [details] [diff] [review] Fix > #ifdef JS_TRACER > static JSString* FASTCALL > String_p_substring(JSContext* cx, JSString* str, int32 begin, int32 end) > { >- JS_ASSERT(end >= begin); > JS_ASSERT(JS_ON_TRACE(cx)); >- return js_NewDependentString(cx, str, (size_t)begin, (size_t)(end - begin)); >+ >+ int32 length = JSSTRING_LENGTH(str); Not int32 -- size_t (consolidate the widening to jsdouble within SubstringTail). >+ return SubstringTail(cx, str, length, begin, end); > } > > static JSString* FASTCALL > String_p_substring_1(JSContext* cx, JSString* str, int32 begin) > { >- int32 end = JSSTRING_LENGTH(str); >- JS_ASSERT(end >= begin); > JS_ASSERT(JS_ON_TRACE(cx)); >- return js_NewDependentString(cx, str, (size_t)begin, (size_t)(end - begin)); >+ >+ int32 length = JSSTRING_LENGTH(str); Ditto. > function testif() { >- var q = 0; >- for (var i = 0; i < 100; i++) { >- if ((i & 1) == 0) >- q++; >- else >- q--; >- } >+ var q = 0; >+ for (var i = 0; i < 100; i++) { >+ if ((i & 1) == 0) >+ q++; >+ else >+ q--; >+ } Overindented! What happened? You sure you want all that trace-tests.js blame? /be
|
|
Assignee | |
Comment 3•16 years ago
|
||
(In reply to comment #2) > Overindented! What happened? Half of trace-tests.js expects tabstop=4 and half of it expects tabstop=8. I'll revert those changes because it's not worth going back through now.
|
|
Assignee | |
Comment 4•16 years ago
|
||
Attachment #344003 -
Attachment is obsolete: true
Attachment #344185 -
Flags: review?(brendan)
Attachment #344003 -
Flags: review?(brendan)
|
|
||
Updated•16 years ago
|
Attachment #344185 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 5•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/35c34996d80e
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 6•16 years ago
|
||
the trace-test.js portion has been added to js1_8_1/trace/trace-test.js
|
|
||
Comment 7•16 years ago
|
||
|
|
||
Comment 8•16 years ago
|
||
I could not reproduce with either testcase.
|
|
||
Updated•16 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
|
|
||
Comment 9•16 years ago
|
||
verified no failures mozilla-central, tracemonkey modulo comment 8
Status: RESOLVED → VERIFIED
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
|
||
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
|
|
||
Comment 11•14 years ago
|
||
test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge.
You need to log in
before you can comment on or make changes to this bug.
Description
•