Closed Bug 761396 Opened 13 years ago Closed 13 years ago

"Assertion failure: offset < script->length,"

Tracking

()

Status:

RESOLVED DUPLICATE of bug 759719

Tracking Flags:

Tracking

Status

firefox12

---

unaffected

firefox13

---

unaffected

firefox14

---

unaffected

firefox15

---

fixed

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [sg:dupe 759719])

Attachments

(4 files)

stack 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 5.26 KB, text/plain		Details
fragile testcase 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 1.73 KB, text/plain		Details
another Valgrind testcase 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 1.70 KB, text/plain		Details
stack 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 5.76 KB, text/plain		Details

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

13 years ago

Attached file stack — Details

The upcoming attached testcase asserts 64-bit (tested on Windows 7, but assert also seems to show up in Mac OS X 10.7) js debug shell on m-c changeset 0e4f8e1a141b with -m and -n at Assertion failure: offset < script->length, I'd be cautious about this TI bug and mark it s-s pending further analysis. The first bad revision is: changeset: 94968:de141e924806 user: Brian Hackett date: Fri May 25 08:20:33 2012 -0700 summary: Move JIT handles in scripts to a separate structure, bug 758613. r= dvander

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 1

•

13 years ago

Attached file fragile testcase — Details

s/TI bug/JIT bug

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 2

•

13 years ago

Attached file another Valgrind testcase — Details

Put this testcase in a subfolder and pass it into the shell with -m and -n: ./js -m -n subfolder/testcase.js Valgrind errors should show up.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 3

•

13 years ago

Attached file stack — Details

Valgrind stack for previous testcase. This testcase seems like a similar bug because autoBisect points to the same regressing changeset in comment 0.

Christian Holler (:decoder)

Comment 4

•

13 years ago

Very likely a dup of bug 759719 based on the Valgrind stack.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

13 years ago

status-firefox12: --- → unaffected

status-firefox13: --- → unaffected

status-firefox14: --- → unaffected

status-firefox15: --- → affected

Keywords: sec-critical, valgrind

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 5

•

13 years ago

Seems to be a dupe. I just checked that the patch in that bug fixes the issues in this bug.

Status: NEW → RESOLVED

Closed: 13 years ago

Resolution: --- → DUPLICATE

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 6

•

13 years ago

Large fragile testcase, resolved DUPE -> in-testsuite-

Flags: in-testsuite-

Daniel Veditz [:dveditz]

Updated

•

13 years ago

Group: core-security

status-firefox15: affected → fixed

Keywords: sec-critical → sec-other

Whiteboard: js-triage-needed → [sg:dupe 759719]

You need to log in before you can comment on or make changes to this bug.

Bugzilla

"Assertion failure: offset < script->length,"

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [sg:dupe 759719])

Crash Data

Security

(public)

User Story

Attachments

(4 files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Updated

Attachment

General

Description

File Name

Content Type