Closed Bug 675921 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: codeArray[offset]," with trap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

stack
1.70 KB, text/plain
Details
Attached file stack 
function g() {
    var a
    trap(f, 20, a)
}
String.prototype.__proto__.r = 6
f = Function("L:for(var y in 3){return}")
g()(typeof f())

asserts js debug shell on JM changeset 674160662e80 with -m, -a, -d and -n at Assertion failure: codeArray[offset],

This was found using a combination of jsfunfuzz and jandem's method fuzzer.
When rejoining into the interpreter we compute the sp of the next opcode (only used in certain circumstances) but did not account for rejoins at opcodes with no fallthrough and an unreachable successor.

http://hg.mozilla.org/projects/jaegermonkey/rev/a82d5a5e070e
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: