Closed
Bug 653782
Opened 13 years ago
Closed 13 years ago
"Assertion failure: JS_IsArrayObject(cx, scx->replacer),"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla6
People
(Reporter: gkw, Assigned: Waldo)
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
10.17 KB,
patch
|
paul.biggar
:
review+
|
Details | Diff | Splinter Review |
JSON.stringify(/x/,<x/>)
asserts js debug shell on TM changeset 3dd6ec45084c without -m nor -j at:
Assertion failure: JS_IsArrayObject(cx, scx->replacer),
(part of backtrace):
#2 0x081d4335 in JS_Assert (s=0x83824c4 "JS_IsArrayObject(cx, scx->replacer)", file=0x838242c "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-68358-3dd6ec45084c/compilePath/js/src/json.cpp", ln=445)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-68358-3dd6ec45084c/compilePath/js/src/jsutil.cpp:89
#3 0x0813c540 in JO (cx=0x845c098, obj=0xf750e138, scx=0xffffc0fc) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-68358-3dd6ec45084c/compilePath/js/src/json.cpp:445
#4 0x0813ce0b in Str (cx=0x845c098, v=..., scx=0xffffc0fc) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-68358-3dd6ec45084c/compilePath/js/src/json.cpp:628
#5 0x0813d83a in js_Stringify (cx=0x845c098, vp=0xf76e4060, replacer=0xf7502118, space=..., sb=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-68358-3dd6ec45084c/compilePath/js/src/json.cpp:783
#6 0x0813b925 in js_json_stringify (cx=0x845c098, argc=2, vp=0xf76e4060) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-68358-3dd6ec45084c/compilePath/js/src/json.cpp:145
#7 0x0810fd68 in js::CallJSNative (cx=0x845c098, native=0x813b82d <js_json_stringify(JSContext*, uintN, js::Value*)>, argc=2, vp=0xf76e4060)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-68358-3dd6ec45084c/compilePath/js/src/jscntxtinlines.h:277
|
Assignee | |
Updated•13 years ago
|
Assignee: general → jwalden+bmo
OS: Linux → All
Hardware: x86 → All
|
|
Assignee | |
Comment 1•13 years ago
|
||
Any case where the second argument to JSON.stringify is an object that's not an array and isn't callable will trigger this. Stupid mistake on my part.
|
|
Assignee | |
Comment 2•13 years ago
|
||
Comment on attachment 529171 [details] [diff] [review] Patch and test Gonna try for a faster review on IRC to fix the regression faster, but if not, shouldn't be a huge problem.
Attachment #529171 -
Flags: review?(pbiggar)
|
||
Comment 3•13 years ago
|
||
Comment on attachment 529171 [details] [diff] [review] Patch and test Review of attachment 529171 [details] [diff] [review]: Looks good.
Attachment #529171 -
Flags: review?(pbiggar) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/49f49164c1d7 I also mis-tagged the following revision as being associated with this bug in its commit message: http://hg.mozilla.org/tracemonkey/rev/34e8a687ea80 That's actually (drumroll please)...bug 653872. (Note the last three digits of that bug and this one.) Sigh.
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla6
|
||
Comment 5•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/34e8a687ea80 http://hg.mozilla.org/mozilla-central/rev/49f49164c1d7
|
|
||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•