Closed
Bug 622011
Opened 14 years ago
Closed 14 years ago
Assertion failure: JSVAL_IS_DOUBLE_IMPL(data) / Crash
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 618129
People
(Reporter: decoder, Assigned: dvander)
Details
Attachments
(1 file)
416 bytes,
application/javascript
|
Details |
The attached shell testcase (sorry, it's ugly^^), asserts with Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at jsvalue.h:705 Optimized build crashes with: ==27252== Process terminating with default action of signal 11 (SIGSEGV) ==27252== Bad permissions for mapped region at address 0x410D2C0 ==27252== at 0x410D2C0: ??? ==27252== by 0x43C731: js_watch_set (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x48A4FF: js_NativeSet(JSContext*, JSObject*, js::Shape const*, bool, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x48D0B7: js_SetPropertyHelper(JSContext*, JSObject*, long, unsigned int, js::Value*, int) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x5FD0CD: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x476CF6: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x489B21: js::EvalKernel(JSContext*, unsigned int, js::Value*, js::EvalType, JSStackFrame*, JSObject*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x47526A: js::DirectEval(JSContext*, JSFunction*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x603CED: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x476CF6: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x4118F5: JS_ExecuteScript (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) ==27252== by 0x407850: Process(JSContext*, JSObject*, char*, int) (in /scratch/holler/LangFuzz/sources/mozilla-central-hg/js.opt/src/shell/js) Locked as security bug because of the crash and the dangling address there.
Updated•14 years ago
|
Assignee: general → dvander
Whiteboard: [sg:critical] → [sg:critical] dupe of 618129? or separate bug leading to the same assert?
Assignee | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical] dupe of 618129? or separate bug leading to the same assert?
Comment 4•13 years ago
|
||
bug 618129 landed on 2010-01-14. Can we verify that this is really a duplicate and fixed by that check-in?
Reporter | ||
Comment 5•13 years ago
|
||
(In reply to comment #4) > bug 618129 landed on 2010-01-14. Can we verify that this is really a duplicate > and fixed by that check-in? The first good revision is: changeset: 60032:7aef1aece1f4 user: David Anderson date: Tue Jan 11 11:47:07 2011 -0800 summary: Fix a slot bug when objects become dictionaries (bug 618129, r=brendan).
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•