Assertion failure: ((js::SrcNoteType)(((*(sn) >> 3) >= SRC_XDELTA) ? SRC_XDELTA : *(sn) >> 3)) == SRC_DESTRUCT, at jsopcode.cpp:3543

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: Waldo)

Tracking

(Blocks: 1 bug, {assertion, testcase, verified-beta})

Trunk
x86_64
Linux
assertion, testcase, verified-beta
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox8- wontfix, firefox9+ fixed, firefox10+ fixed, firefox11+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical] fixed by 685321 [qa!])

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision c60535115ea1 (no options required):


function F(x, y) {
  var { j, y, p, a } = testSyntax("#1=<a>b</a>", true) =  this;
}
var src = F.toSource(-1)+"\n";


Could be related to a decompiler patch that landed recently, Cc'ing Luke and Waldo.
Reduced somewhat (potentially morphing, but I don't quite think so), I get this:

  (function F(x) { var {x} = this; }).toSource(-1);

That implicates bug 685321, which I really need to get to soon.  :-\
Group: core-security
"depends on" rather than "dupe" in case of morphing, but if a patch for that bug fixes this one we can dupe at that time. Please include both Christian's original and your variant as regression tests when you check in.
Depends on: 685321
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
Jeff, recording you as assignee since you're working on the likely dup.
Assignee: general → jwalden+bmo

Updated

6 years ago
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox8: --- → wontfix
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox8: --- → -
tracking-firefox9: --- → +
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 685321
Would like decoder to verify that the fix for bug 685321 really does fix his testcase.
status-firefox11: affected → fixed
Resolution: DUPLICATE → FIXED
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] fixed by 685321
(Reporter)

Comment 6

6 years ago
Confirmed that the test in comment 0 no longer reproduces on trunk.
Whiteboard: [sg:critical] fixed by 685321 → [sg:critical] fixed by 685321 [qa+]
Fixed in 10 by bug 685321.
status-firefox10: affected → fixed
status-firefox9: affected → fixed
status1.9.2: --- → unaffected
Group: core-security
OS: Ubuntu 11.04 64bit
I have built the js from mozilla-beta-52cf2b0c8439 and run the tests from comment #0 and comment #1 and no error was displayed.
Status: RESOLVED → VERIFIED
status-firefox11: fixed → verified
Keywords: verified-beta
Whiteboard: [sg:critical] fixed by 685321 [qa+] → [sg:critical] fixed by 685321 [qa!]
(Reporter)

Comment 9

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.