Closed Bug 619830 Opened 14 years ago Closed 9 years ago

js_GetVariableBytecodeLength called in places that do not handle JSOP_TRAP

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 707454

People

(Reporter: sfink, Unassigned)

Details

(Keywords: assertion, testcase) 

I see two places where js_GetVariableBytecodeLength is called in a context where *pc might be JSOP_TRAP. And the API doesn't pass in enough information to retrieve the "real" bytecode either (this would require a JSScript* and a JSContext* to be able to call js_GetByteCode).

The two problematic callsites are in jsinterp.cpp and jsfun.cpp. (The other callsites look safe to me.)

I don't have any code that hits this problem. I just noticed it when I was scanning through jsopcode.cpp looking for JSOP_TRAP handling.
jsfunfuzz says hello


./js -d

function f() { switch(1) { } <x/>; }
dis(f);
trap(f, 1, "");
f();

Assertion failure: js_CodeSpec[op].length == -1, at jsopcode.cpp:179

flags: NULL_CLOSURE
main:
00000:  one
00001:  tableswitch defaultOffset 7 low 0 high -1   <-- trap goes here
00008:  startxml
00009:  string "<x/>"
00012:  toxml
00013:  pop
00014:  stop
Keywords: assertion, testcase
Assignee: general → nobody
JSOP_TRAP was removed in bug 707454.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.