Closed
Bug 811606
Opened 10 years ago
Closed 10 years ago
Crash [@ JSFunction::inStrictMode] or "Assertion failure: hasScript(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla19
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected |
| firefox17 | --- | unaffected |
| firefox18 | --- | unaffected |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
|
11.91 KB,
text/plain
|
Details |
for each(e in [].some) {}
asserts js debug shell on m-c changeset 4e9567eeb09e without any CLI arguments at Assertion failure: hasScript(), and crashes js opt shell at JSFunction::inStrictMode
s-s due to its simplicity to be safe, even though it seems to be a null deref. Setting fuzzblocker because this is blowing up the fuzzers.
I'm pretty sure this is a recent regression - autoBisect is now running.
|
Reporter | |
Comment 1•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 113105:3da143341145 user: Till Schneidereit date: Tue Aug 28 14:35:15 2012 +0200 summary: Bug 784294 - Convert some array extras to self-hosted js implementations. r=Waldo
Blocks: 784294
|
|
Reporter | |
Comment 2•10 years ago
|
||
Null deref = sec-moderate and csec-dos, please feel free to change this if needed.
|
|
Reporter | |
Updated•10 years ago
|
Crash Signature: [@ JSFunction::inStrictMode]
|
||
Updated•10 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
||
Comment 3•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd68409d7810).
|
|
Reporter | |
Comment 4•10 years ago
|
||
Bug 784294 was backed out in https://hg.mozilla.org/mozilla-central/rev/dd68409d7810 - "fixing" this. Till, please add this testcase to future revised patches.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 5•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Comment 6•10 years ago
|
||
fwiw, the assertion was hit in crash automation on windows at: http://quizlet.com/16231061/edit/ http://www.giantbomb.com/news/worth-reading-110912/4446/ http://9gag.com/gag/5812496 It appears to have been fixed by the back out as well.
|
||
Comment 7•10 years ago
|
||
I think we can make this public, as the causing code never made a Nightly.
|
|
Reporter | |
Updated•10 years ago
|
Group: core-security
|
||
Updated•10 years ago
|
|
|
Reporter | |
Updated•10 years ago
|
Keywords: sec-moderate
|
|
||
Comment 8•10 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•