Status
()
People
(Reporter: gkw, Assigned: jandem)
Tracking
(Blocks: 2 bugs, 5 keywords)
Firefox Tracking Flags
(firefox22 unaffected, firefox23 verified, firefox-esr17 unaffected, b2g18 unaffected)
Details
(Whiteboard: [jsbugmon:update][adv-main23-])
Attachments
(1 attachment)
|
1.28 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
try {
y = 'x'
Object.defineProperty(this, "z", {
get: function() {
y += y
return z
}
})
Uint8Array(z)
} catch (e) {}
for (v of y) {}
asserts js debug shell on m-c changeset 05533d50f2f7 with --ion-eager at Assertion failure: length <= MAX_LENGTH, at vm/String.h
|
(Assignee) | |
Comment 1•6 years ago
|
||
Created attachment 742966 [details] [diff] [review] Patch Good catch. Regression from bug 863018. temp2 holds the length of the LHS, temp2 holds the result length and is the one we want to test against JSString::MAX_LENGTH.
|
||
Comment 2•6 years ago
|
||
Comment on attachment 742966 [details] [diff] [review] Patch Review of attachment 742966 [details] [diff] [review]: ----------------------------------------------------------------- Indeed an easy one to overlook.
Attachment #742966 -
Flags: review?(hv1989) → review+
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 3•6 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 130142:3b7a2cbccaaa user: Jan de Mooij date: Fri Apr 26 14:08:54 2013 +0200 summary: Bug 863018 part 2 - Add JSShortString path back to ConcatStrings and LConcat. r=luke This iteration took 149.557 seconds to run.
|
|
||
Comment 4•6 years ago
|
||
I'm pretty sure this is s-s and at least sec-high. I'm seeing this trace in my fuzzer with the same assertion:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000672298 in JSString::buildLengthAndFlags (
flags=<optimized out>, length=<optimized out>, this=<optimized out>)
at ../vm/String.h:231
231 JS_ASSERT(length <= MAX_LENGTH);
#0 0x0000000000672298 in JSString::buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#1 0x0000000000674380 in buildLengthAndFlags (flags=<optimized out>, length=<optimized out>, this=<optimized out>) at ../vm/String.h:231
#2 JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=<error reading variable: Cannot access memory at address 0x64006300620061>, maybecx=<optimized out>) at js/src/vm/String.cpp:276
Notice the memory address in frame #2 consisting of a string (in 16 bit unicode).|
|
(Assignee) | |
Comment 6•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cf9469c2c3c6
|
||
Comment 7•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cf9469c2c3c6
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
status-firefox23: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 8•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•6 years ago
|
status-b2g18: --- → unaffected
status-firefox22: --- → unaffected
status-firefox-esr17: --- → unaffected
|
||
Comment 9•6 years ago
|
||
Marking status-firefox23:verified based on comment 8.
status-firefox23: fixed → verified
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main23-]
|
|
||
Updated•5 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•