Closed Bug 912978 Opened 12 years ago Closed 2 years ago

Assertion failure: bindingIndex < count(), at /srv/repos/mozilla/central-asan-opt-dbg/js/src/jsscript.cpp:246

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: freddy, Unassigned)

Details

I am having this reproducible segfault (assertion failure), but cannot get other sensible information out of the crash (e.g. using an address sanitizer build) except addresses in libxul.so on stdout. I am not sure if this crash is exploitable, but as it requires heavy user interaction (see STR), I am not marking it core-security. Feel free to disagree :) STR: 1) I am debugging a JS file using the developer tools debugger 2) I am setting a breakpoint on a function that is repeatedly called 3) The breakpoint is hit and I am navigating through the stack using the breadcrumbs in the UI (this step seems to be important) 4) I continue to the code, the breakpoint is hit a few more times, I always click on the run button. 5) Crash My test case is rather big and dirty, but I fail at minimizing it. Bugzilla doesn't like zip attachments. Should I throw my folder somewhere in the clouds and link it from here?
According to hg, the affected code line was added in bug 767013. If that helps...CCing Luke
Assignee: general → nobody
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.