Closed
Bug 592224
Opened 15 years ago
Closed 14 years ago
Crash [@ JSObject::changeProperty] or "Assertion failure: listp,"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
__defineGetter__("x", function () {});
function z() {
"".replace(/s/, "");
}
z();
(function () {
for (a = 0; a < 2; a++) {
__defineGetter__("", /a/);
for each(y in [__defineGetter__("x", function(){})]) {}
}
}());
asserts js debug shell on TM changeset e8ee411dca70 without -j at Assertion failure: listp, and crashes js opt shell at JSObject::changeProperty
s-s because this involves a scary address, 0x22.
===
Program received signal SIGSEGV, Segmentation fault.
0x081240b6 in JSObject::changeProperty(JSContext*, js::Shape const*, unsigned int, unsigned int, int (*)(JSContext*, JSObject*, int, js::Value*), int (*)(JSContext*, JSObject*, int, js::Value*)) ()
(gdb) x/i $eip
=> 0x81240b6 <_ZN8JSObject14changePropertyEP9JSContextPKN2js5ShapeEjjPFiS1_PS_iPNS2_5ValueEESA_+278>: mov %edx,(%eax)
(gdb) x/b $edx
0x829ef94: 0x22
(gdb) x/b $eax
0x0: Cannot access memory at address 0x0
|
Reporter | |
Updated•15 years ago
|
blocking2.0: --- → ?
|
|
Reporter | |
Comment 1•15 years ago
|
||
Probably related to bug 558451.
Regression window:
http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=be9979b4c10b&tochange=f3e58c264932
Blocks: 558451
|
||
Updated•15 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
|
||
Updated•15 years ago
|
blocking2.0: ? → betaN+
|
||
Comment 2•14 years ago
|
||
WFM now.
/be
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Updated•14 years ago
|
Flags: in-testsuite?
|
|
||
Comment 3•14 years ago
|
||
The testcases for bug 595365 cover the bug well enough, but adding regression tests for each fuzzer-generated case wouldn't hurt. Have to be careful with eval of named function expressions, though. Gary, are you willing to add tests?
/be
|
||
Comment 4•14 years ago
|
||
autoBisect.py -p -e f3e58c264932 -s default -a 64 b592224.js
The first good revision is:
changeset: 53415:3feb012b18a3
user: Brendan Eich <brendan@mozilla.org>
date: Thu Sep 02 18:46:11 2010 -0700
summary: Bugs in dictionary-mode property table maintenance (593256, r=jorendorff).
|
|
||
Updated•14 years ago
|
Resolution: WORKSFORME → FIXED
|
|
||
Updated•14 years ago
|
Group: core-security
|
||
Updated•14 years ago
|
Crash Signature: [@ JSObject::changeProperty]
|
||
Comment 5•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•