Closed
Bug 619830
Opened 14 years ago
Closed 9 years ago
js_GetVariableBytecodeLength called in places that do not handle JSOP_TRAP
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 707454
People
(Reporter: sfink, Unassigned)
Details
(Keywords: assertion, testcase)
I see two places where js_GetVariableBytecodeLength is called in a context where *pc might be JSOP_TRAP. And the API doesn't pass in enough information to retrieve the "real" bytecode either (this would require a JSScript* and a JSContext* to be able to call js_GetByteCode). The two problematic callsites are in jsinterp.cpp and jsfun.cpp. (The other callsites look safe to me.) I don't have any code that hits this problem. I just noticed it when I was scanning through jsopcode.cpp looking for JSOP_TRAP handling.
Comment 1•13 years ago
|
||
jsfunfuzz says hello ./js -d function f() { switch(1) { } <x/>; } dis(f); trap(f, 1, ""); f(); Assertion failure: js_CodeSpec[op].length == -1, at jsopcode.cpp:179 flags: NULL_CLOSURE main: 00000: one 00001: tableswitch defaultOffset 7 low 0 high -1 <-- trap goes here 00008: startxml 00009: string "<x/>" 00012: toxml 00013: pop 00014: stop
Updated•13 years ago
|
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Comment 2•9 years ago
|
||
JSOP_TRAP was removed in bug 707454.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•