Closed Bug 811606 Opened 10 years ago Closed 10 years ago

Crash [@ JSFunction::inStrictMode] or "Assertion failure: hasScript(),"

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla19
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 --- unaffected
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

Attached file stack
for each(e in [].some) {}

asserts js debug shell on m-c changeset 4e9567eeb09e without any CLI arguments at Assertion failure: hasScript(), and crashes js opt shell at JSFunction::inStrictMode

s-s due to its simplicity to be safe, even though it seems to be a null deref. Setting fuzzblocker because this is blowing up the fuzzers.

I'm pretty sure this is a recent regression - autoBisect is now running.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   113105:3da143341145
user:        Till Schneidereit
date:        Tue Aug 28 14:35:15 2012 +0200
summary:     Bug 784294 - Convert some array extras to self-hosted js implementations. r=Waldo
Blocks: 784294
Null deref = sec-moderate and csec-dos, please feel free to change this if needed.
Crash Signature: [@ JSFunction::inStrictMode]
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd68409d7810).
Bug 784294 was backed out in https://hg.mozilla.org/mozilla-central/rev/dd68409d7810 - "fixing" this.

Till, please add this testcase to future revised patches.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
fwiw, the assertion was hit in crash automation on windows at:

http://quizlet.com/16231061/edit/
http://www.giantbomb.com/news/worth-reading-110912/4446/
http://9gag.com/gag/5812496

It appears to have been fixed by the back out as well.
I think we can make this public, as the causing code never made a Nightly.
Group: core-security
Target Milestone: --- → mozilla19
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.