Closed Bug 675921 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: codeArray[offset]," with trap

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

stack 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 1.70 KB, text/plain		Details

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

13 years ago

Attached file stack — Details

function g() { var a trap(f, 20, a) } String.prototype.__proto__.r = 6 f = Function("L:for(var y in 3){return}") g()(typeof f()) asserts js debug shell on JM changeset 674160662e80 with -m, -a, -d and -n at Assertion failure: codeArray[offset], This was found using a combination of jsfunfuzz and jandem's method fuzzer.

Brian Hackett [Laid off!]

Comment 1

•

13 years ago

When rejoining into the interpreter we compute the sp of the next opcode (only used in certain circumstances) but did not account for rejoins at opcodes with no fallthrough and an unreachable successor. http://hg.mozilla.org/projects/jaegermonkey/rev/a82d5a5e070e

Status: NEW → RESOLVED

Closed: 13 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TI: "Assertion failure: codeArray[offset]," with trap

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Attachment

General

Description

File Name

Content Type