Closed
Bug 701248
Opened 13 years ago
Closed 13 years ago
Assertion failure: ((js::SrcNoteType)(((*(sn) >> 3) >= SRC_XDELTA) ? SRC_XDELTA : *(sn) >> 3)) == SRC_DESTRUCT, at jsopcode.cpp:3543
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Assigned: Waldo)
References
Details
(Keywords: assertion, testcase, verified-beta, Whiteboard: [sg:critical] fixed by 685321 [qa!])
The following test asserts on mozilla-central revision c60535115ea1 (no options required):
function F(x, y) {
var { j, y, p, a } = testSyntax("#1=<a>b</a>", true) = this;
}
var src = F.toSource(-1)+"\n";
Could be related to a decompiler patch that landed recently, Cc'ing Luke and Waldo.
|
Assignee | |
Comment 1•13 years ago
|
||
Reduced somewhat (potentially morphing, but I don't quite think so), I get this:
(function F(x) { var {x} = this; }).toSource(-1);
That implicates bug 685321, which I really need to get to soon. :-\
Group: core-security
|
||
Comment 2•13 years ago
|
||
"depends on" rather than "dupe" in case of morphing, but if a patch for that bug fixes this one we can dupe at that time. Please include both Christian's original and your variant as regression tests when you check in.
Depends on: 685321
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
|
||
Comment 3•13 years ago
|
||
Jeff, recording you as assignee since you're working on the likely dup.
Assignee: general → jwalden+bmo
|
||
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox8:
--- → wontfix
status-firefox9:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
tracking-firefox8:
--- → -
tracking-firefox9:
--- → +
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 5•13 years ago
|
||
Would like decoder to verify that the fix for bug 685321 really does fix his testcase.
Resolution: DUPLICATE → FIXED
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] fixed by 685321
|
Reporter | |
Comment 6•13 years ago
|
||
Confirmed that the test in comment 0 no longer reproduces on trunk.
Whiteboard: [sg:critical] fixed by 685321 → [sg:critical] fixed by 685321 [qa+]
|
|
||
Comment 7•13 years ago
|
||
Fixed in 10 by bug 685321.
|
|
||
Updated•13 years ago
|
status1.9.2:
--- → unaffected
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Comment 8•13 years ago
|
||
OS: Ubuntu 11.04 64bit
I have built the js from mozilla-beta-52cf2b0c8439 and run the tests from comment #0 and comment #1 and no error was displayed.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [sg:critical] fixed by 685321 [qa+] → [sg:critical] fixed by 685321 [qa!]
|
|
Reporter | |
Comment 9•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•