Closed
Bug 621432
Opened 14 years ago
Closed 14 years ago
Assertion failure: script->main <= target && target < script->code + script->length
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla2.0b12
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: decoder, Assigned: Waldo)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [softblocker][fixed-in-tracemonkey])
Attachments
(3 files)
|
(deleted),
application/javascript
|
Details | |
|
(deleted),
application/javascript
|
Details | |
|
(deleted),
patch
|
jorendorff
:
review+
beltzner
:
approval2.0+
|
Details | Diff | Splinter Review |
Running the two attachments "t1.js" and "t2.js" together in the shell using
$ js -f t1.js -f t2.js
yields the assertion:
Assertion failure: script->main <= target && target < script->code + script->length, at jsopcode.cpp:5491
Aborted
The two files might not be minimal but cannot be combined into a single file.
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
This bisect might be related:
Changeset 54587: bad
The first bad revision is:
changeset: 54587
user: Brendan Eich <removed>
date: Thu Sep 16 11:56:54 2010 -0700
summary: Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff).
Keywords: regression,
testcase
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
Whiteboard: softblocker
|
Assignee | |
Updated•14 years ago
|
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•14 years ago
|
||
Reduced:
var toSource = []; Object.preventExtensions(this); eval("const x");
The proximate failure is pretty obvious now, suspect the fix isn't far behind.
|
|
Assignee | |
Comment 4•14 years ago
|
||
Ideally we shouldn't be invoking user-specified decompilation behavior at all here -- see bug 633623 -- but for now just make this case behave correctly and not assert.
Attachment #511849 -
Flags: review?(jorendorff)
|
||
Comment 5•14 years ago
|
||
Comment on attachment 511849 [details] [diff] [review]
Handle errors thrown in the script prolog
Well... OK. But I am tempted to minus this and insist on fixing the caller. The release-mode behavior is OK, right?
Attachment #511849 -
Flags: review?(jorendorff) → review+
|
|
||
Comment 6•14 years ago
|
||
(I am not really tempted. Push it and let's fix the follow-up bug after ship.)
|
||
Comment 7•14 years ago
|
||
Comment on attachment 511849 [details] [diff] [review]
Handle errors thrown in the script prolog
Helping to ask for approval2.0, this helps to fix fuzzbugs like this one and potentially bug 631776 as well.
Attachment #511849 -
Flags: approval2.0?
|
||
Comment 8•14 years ago
|
||
Comment on attachment 511849 [details] [diff] [review]
Handle errors thrown in the script prolog
a=beltzner
Attachment #511849 -
Flags: approval2.0? → approval2.0+
|
|
Assignee | |
Comment 9•14 years ago
|
||
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
Target Milestone: --- → mozilla2.0b12
|
||
Comment 11•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•