Closed Bug 868189 Opened 11 years ago Closed 11 years ago

Various assertions found with patches for bug 865059 and bug 867753

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 2 obsolete files)

Pastebin patch v2
27.18 KB, patch
Details | Diff | Splinter Review
stack for assertion
6.62 KB, text/plain
Details
Attached file stack (obsolete) — 
disassemble("-r", Function("\
    2(function() {\
        1(function() {\
            for (var a = 0; a < 9; a++) {\
                1\
            }\
        })\
    })\
"))

asserts js debug shell on m-i changeset 5ac1564bff87 without any CLI arguments at Assertion failure: tn->kind < ArrayLength(TryNoteNames), at shell/js.cpp

bhackett specially requested for fuzzing this changeset to find regressions to the patch(es) in bug 865059.
Flags: needinfo?(bhackett1024)
Attached file Pastebin patch (obsolete) — 
bhackett requested to use the patch in http://www.pastebin.mozilla.org/2369647 (replicated here) to fuzz again, which has fixes for this bug and bug 867753.

This likely found:

evalcx("for each(c in print())''", newGlobal(''))

Assertion failure: fun(), at ion/CompileInfo.h
Assignee: general → gary
Status: NEW → ASSIGNED
Oops, wrong bug.
Assignee: gary → general
Status: ASSIGNED → NEW
Depends on: 868564
http://www.pastebin.mozilla.org/2369719 is an updated pastebin patch provided by bhackett to fix the bug in comment 1. (replicated here)
Attachment #744872 - Attachment is obsolete: true
Attached file stack for assertion 
function f() {}
for (var a = 0; a < 99; a++) {
    f()
}

Assertion failure: script->types, at jsinferinlines.h (Pastebin patch v2 applied on m-i rev 99b086e10c8d, tested on 32-bit debug shell)

This blocks all further fuzzing on jsfunfuzz.
Attachment #744827 - Attachment is obsolete: true
Summary: Assertion failure: tn->kind < ArrayLength(TryNoteNames), at shell/js.cpp → Various assertions found with patches for bug 865059 and bug 867753
All requested fuzzing here was finished.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: