Closed Bug 622011 Opened 14 years ago Closed 14 years ago

Assertion failure: JSVAL_IS_DOUBLE_IMPL(data) / Crash

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 618129

People

(Reporter: decoder, Assigned: dvander)

Details

Attachments

(1 file)

Test case for shell
416 bytes, application/javascript
Details
Attached file Test case for shell 
The attached shell testcase (sorry, it's ugly^^), asserts with

Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at jsvalue.h:705

Optimized build crashes with:

==27252== Process terminating with default action of signal 11 (SIGSEGV)
==27252==  Bad permissions for mapped region at address 0x410D2C0
==27252==    at 0x410D2C0: ???
==27252==    by 0x43C731: js_watch_set (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x48A4FF: js_NativeSet(JSContext*, JSObject*, js::Shape const*, bool, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x48D0B7: js_SetPropertyHelper(JSContext*, JSObject*, long, unsigned int, js::Value*, int) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x5FD0CD: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x476CF6: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x489B21: js::EvalKernel(JSContext*, unsigned int, js::Value*, js::EvalType, JSStackFrame*, JSObject*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x47526A: js::DirectEval(JSContext*, JSFunction*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x603CED: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x476CF6: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x4118F5: JS_ExecuteScript (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)
==27252==    by 0x407850: Process(JSContext*, JSObject*, char*, int) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js)

Locked as security bug because of the crash and the dangling address there.
Bug 618129 trips the same assertion.
Whiteboard: [sg:critical]
Assignee: general → dvander
Whiteboard: [sg:critical] → [sg:critical] dupe of 618129? or separate bug leading to the same assert?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical] dupe of 618129? or separate bug leading to the same assert?
bug 618129 landed on 2010-01-14. Can we verify that this is really a duplicate and fixed by that check-in?
(In reply to comment #4)
> bug 618129 landed on 2010-01-14. Can we verify that this is really a duplicate
> and fixed by that check-in?

The first good revision is:
changeset:   60032:7aef1aece1f4
user:        David Anderson
date:        Tue Jan 11 11:47:07 2011 -0800
summary:     Fix a slot bug when objects become dictionaries (bug 618129, r=brendan).
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: