Closed
Bug 784639
Opened 12 years ago
Closed 12 years ago
"Assertion failure: pc >= code && pc + sizeof(uint32_t) < code + length,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla17
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected |
| firefox17 | --- | verified |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][adv-track-main17-])
Attachments
(2 files)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
evalcx("\
Object.defineProperty(this, \"a\", {});\
f = (function(j) {\
a = Proxy\
});\
Object.defineProperty(this, \"g\", {\
get: function() {\
return ({\
r: function() {},\
t: function() {}\
})\
}\
});\
for (p in g) {\
f(1)\
}\
", newGlobal())
asserts js debug shell on m-c changeset abc17059522b with -m, -n and -a at Assertion failure: pc >= code && pc + sizeof(uint32_t) < code + length,
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 102943:57c1c330e85f
user: Luke Wagner
date: Fri Aug 17 18:09:43 2012 -0700
summary: Bug 774915 - don't use the property cache for dynamic name lookup (r=bhackett)
|
||
Comment 1•12 years ago
|
||
Seeing the same here with varying stacks, marking as fuzzblocker.
Whiteboard: [jsbugmon:update][fuzzblocker]
|
|
||
Comment 2•12 years ago
|
||
This bug is also causing security-sensitive crashes on opt builds.
Group: core-security
|
Assignee | |
Comment 3•12 years ago
|
||
Gah, why does cx->fp() even still exist?!
|
||
Updated•12 years ago
|
Attachment #654233 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
||
Comment 5•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox17:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
|
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Updated•12 years ago
|
status-firefox16:
--- → unaffected
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][adv-track-main17-]
|
||
Updated•12 years ago
|
Group: core-security
|
|
||
Comment 7•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug784639.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•