Closed
Bug 634593
Opened 13 years ago
Closed 13 years ago
Assertion failure: proto->isNative(), at jsobjinlines.h:917
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | .x+ |
People
(Reporter: decoder, Assigned: brendan)
References
Details
(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
754 bytes,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
Running the following code with -j in the shell causes an assertion (tested on TM tip):
this.__defineGetter__("x3", Function);
parseInt = x3;
parseInt.prototype = [];
for (var z = 0; z < 10; ++z) { new parseInt() }
|
||
Updated•13 years ago
|
Group: core-security
|
|
||
Updated•13 years ago
|
blocking2.0: --- → ?
|
||
Comment 1•13 years ago
|
||
Exploitable?
|
Assignee | |
Comment 2•13 years ago
|
||
This doesn't crash my opt shell. It seems to be just a bogus assertion; more specifically, a latent bug exposed by patch for bug 633929. Underlying code goes back to my patch for bug 535416. /be
Blocks: 630865
Group: core-security
|
|
Assignee | |
Updated•13 years ago
|
Assignee: general → brendan
Status: NEW → ASSIGNED
|
||
Updated•13 years ago
|
blocking2.0: ? → .x
|
|
Assignee | |
Comment 3•13 years ago
|
||
This is not a blocker but bogus assertions are bad for fuzzing, so it should be fixed (DEBUG-only change, I hope). /be
|
|
||
Comment 4•13 years ago
|
||
Non-native objects can provide empty shapes?
|
|
Assignee | |
Comment 5•13 years ago
|
||
(In reply to comment #4) > Non-native objects can provide empty shapes? Surprising but true. /be
OS: Linux → Windows CE
|
|
Assignee | |
Comment 6•13 years ago
|
||
Attachment #513000 -
Flags: review?(jorendorff)
|
||
Comment 7•13 years ago
|
||
Comment on attachment 513000 [details] [diff] [review] remove bogus assertion Needs a test. r=me with that.
Attachment #513000 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Updated•13 years ago
|
OS: Linux → All
Hardware: x86_64 → All
|
|
Assignee | |
Comment 8•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/b0fd21292a78 /be
Whiteboard: fixed-in-tracemonkey
|
||
Comment 9•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/b0fd21292a78
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 10•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug634593.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•