Closed
Bug 876642
Opened 11 years ago
Closed 11 years ago
Assertion failure: s <= end, at ../jsstrinlines.h:98
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 875804
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
758 bytes,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision c190422547ed (no options required): function my_iterator_next() { return my_iterator_next; } function testCustomIterator() { var o = { __iterator__: function () { return { next: my_iterator_next, }; } }; for(var j in o) { unescape(1 + (j >> 0)); // Use this line instead to get a straight unsafe crash //unescape(j); } } testCustomIterator();
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
This range assertion can be turned quickly into a non-safe crash: Program received signal SIGSEGV, Segmentation fault. 0x0831cab5 in str_unescape (cx=0x92693c8, argc=1, vp=0xffffc654) at js/src/jsstr.cpp:290 290 jschar c = chars[k]; (gdb) bt #0 0x0831cab5 in str_unescape (cx=0x92693c8, argc=1, vp=0xffffc654) at js/src/jsstr.cpp:290 #1 0xf7fd2784 in ?? () Cannot access memory at address 0xffffff8b (gdb) info register edx 0xf7600000 -144703488 (gdb) x /i $pc => 0x831cab5 <str_unescape(JSContext*, unsigned int, JS::Value*)+245>: movzwl (%edx),%edi I assume this is some form of confusion between a string and something else. Bug 876458 might be pointing to the same problem, but I'll wait for the bisect result to confirm that they both have the same regressor.
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 132801:4370f503d69f user: Brian Hackett date: Thu May 23 13:25:19 2013 -0600 summary: Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem. This iteration took 9.865 seconds to run.
Reporter | ||
Comment 4•11 years ago
|
||
Needinfo from Brian based on comment 3 :)
Flags: needinfo?(bhackett1024)
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•