Crash [@ JSObject::allocSlot] or "Assertion failure: JSVAL_IS_DOUBLE_IMPL(data),"

RESOLVED DUPLICATE of bug 618129

Status

()

--
critical
RESOLVED DUPLICATE of bug 618129
8 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 betaN+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr][sg:dupe 618129], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Created attachment 502525 [details]
more information

function a() {
  f = Function("\
    this.watch(\"w\",\
      function(){\
        d={};\
        Object.defineProperty(this,\"w\",({get:/x/}))\
      }\
    );\
    w=b;\
    []()\
  ")
  f()
}
function b() {}
a()

crashes js opt shell at JSObject::allocSlot on TM changeset de9053031560 without -m nor -j when passed in as a CLI argument, and asserts debug shell at Assertion failure: JSVAL_IS_DOUBLE_IMPL(data)

s-s because this seems to involve a scary address, setting sg:critical?

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   54300:7ef107ab081e
user:        Brendan Eich
date:        Thu Sep 16 11:56:54 2010 -0700
summary:     Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff).
(Reporter)

Updated

8 years ago
blocking2.0: --- → ?
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 618129
blocking2.0: ? → betaN+
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 618129]
Crash Signature: [@ JSObject::allocSlot]
Group: core-security
You need to log in before you can comment on or make changes to this bug.