Closed
Bug 533862
Opened 15 years ago
Closed 14 years ago
"Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp" or "Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 546615
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:dupe 546615][3.6.x] fixed-in-tracemonkey)
Attachments
(2 files)
(new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))() asserts js debug shell without -j on TM tip at Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2145 (new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({}); if (1) {} i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))")) a slightly reduced version of the testcase above asserts js debug shell without -j on TM tip at Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1863 Nominating security-sensitive because these testcases seem to involve gczeal. autoBisecting soon...
Reporter | ||
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 488690: The first bad revision is: changeset: 27473:ed4ac8a1494e user: Brendan Eich date: Mon Apr 20 15:51:27 2009 -0700 summary: Bug 488690 - "Assertion failure: dn->pn_defn, at ../jsemit.cpp" (r=mrbkap).
Blocks: 488690
Reporter | ||
Comment 2•15 years ago
|
||
$ ./js-dbg-32-tm-darwin original.js Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2145 Abort trap
Reporter | ||
Comment 3•15 years ago
|
||
$ ./js-dbg-32-tm-darwin w5513-reduced.js Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1863 Abort trap
Reporter | ||
Comment 4•15 years ago
|
||
Nominating for blocking on all platforms due to possibly-related bug 488690 being landed on all platforms from 1.9.1 onwards, but differing to more experienced eyes on whether to set wanted or otherwise.
blocking1.9.1: --- → ?
blocking2.0: --- → ?
Flags: wanted1.9.2?
Flags: blocking1.9.2?
Comment 5•15 years ago
|
||
qawanted: does the testcase actually affect 1.9.1 or is that just a guess based on the regressing bug?
status1.9.1:
--- → ?
Keywords: qawanted
Updated•15 years ago
|
blocking1.9.1: ? → ---
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Comment 6•15 years ago
|
||
Does this assert on the 192 branch?
Reporter | ||
Comment 7•15 years ago
|
||
(In reply to comment #5) > qawanted: does the testcase actually affect 1.9.1 or is that just a guess based > on the regressing bug? This _does_ affect 1.9.1. (In reply to comment #6) > Does this assert on the 192 branch? This _does_ affect 1.9.2. For clarity, this affects 1.9.1, 1.9.2 and TM branches. ===== 1.9.1 changeset 9a04b31d5b46: $ ./js-dbg-32-191-darwin js> (new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))() Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2100 Trace/BPT trap $ ./js-dbg-32-191-darwin js> (new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({}); if (1) {} i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))")) Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1817 Trace/BPT trap ===== 1.9.2 changeset 162e0fd19bc2: $ ./js-dbg-32-192-darwin js> (new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))() Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2097 Trace/BPT trap $ ./js-dbg-32-192-darwin js> (new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({}); if (1) {} i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))")) Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1815 Trace/BPT trap ===== TM changeset a2213b12f253: $ ./js-dbg-32-tm-darwin js> (new Function("with({x:<y {x}={(s\n?o:(\"\"((function (x,l){if(dx.length == znfggl) { ; return gczeal(0); } var bdccqi ; var gsfkvd = a_indexing(bleedx, znfggl + 1); print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />})t(((function f(gm) { ({a}); if (cm1) { retur }i();})(2)));le(((function(){[]((1))})([[][1],x]))for(x in 0)if(<x></x>))"))() Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp:2145 Abort trap $ ./js-dbg-32-tm-darwin js> (new Function("({x:<y {x}={(s\n?o:(\"\"((function(x){if(a == bbbbbb) { ; return gczeal(0); } var cccccc;var dddddd = a_indexing(eeeeee, bbbbbb + 1);print(eval(\"#3={a:#3#};\")); })([ /x/g/x [ed], (0)], 0))))} />}) (((function f(gm) { ({}); if (1) {} i()})())); (((function() { (0)})([[], x]))for(x in 0)if([]))")) Assertion failure: pnu->pn_lexdef == dn, at ../jsemit.cpp:1863 Abort trap
blocking1.9.1: --- → ?
Keywords: qawanted
Comment 8•15 years ago
|
||
this test case is pretty hairy, using sharps and e4x. We'll go for a point release.
Flags: blocking1.9.2+ → blocking1.9.2-
Updated•15 years ago
|
Flags: wanted1.9.2? → wanted1.9.2+
Updated•15 years ago
|
Whiteboard: [3.6.x]
Updated•14 years ago
|
blocking1.9.1: ? → ---
Updated•14 years ago
|
blocking2.0: ? → alpha1
Updated•14 years ago
|
blocking2.0: alpha1 → beta1
Comment 9•14 years ago
|
||
mrbkap, is this a security hole?
Reporter | ||
Comment 10•14 years ago
|
||
This bug got fixed by bug 546615: changeset: 38077:36487442aeb0 user: Jason Orendorff date: Thu Feb 18 16:01:25 2010 -0600 summary: Bug 546615 - Crash [@ BindNameToSlot] or "Assertion failure: cg->staticLevel >= level, at ../jsemit.cpp". r=brendan.
Whiteboard: [3.6.x] → [3.6.x] fixed-in-tracemonkey
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
status1.9.2:
--- → wanted
Depends on: 546615
Resolution: --- → DUPLICATE
Whiteboard: [3.6.x] fixed-in-tracemonkey → [sg:dupe 546615][3.6.x] fixed-in-tracemonkey
Updated•14 years ago
|
Group: core-security
Comment 12•11 years ago
|
||
A testcase for this bug was already added in the original bug (bug 546615).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•