Closed Bug 868189 Opened 12 years ago Closed 12 years ago

Various assertions found with patches for bug 865059 and bug 867753

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 2 obsolete files)

Pastebin patch v2
(deleted), patch
Details | Diff | Splinter Review
stack for assertion
(deleted), text/plain
Details
Attached file stack (obsolete) (deleted) —
disassemble("-r", Function("\ 2(function() {\ 1(function() {\ for (var a = 0; a < 9; a++) {\ 1\ }\ })\ })\ ")) asserts js debug shell on m-i changeset 5ac1564bff87 without any CLI arguments at Assertion failure: tn->kind < ArrayLength(TryNoteNames), at shell/js.cpp bhackett specially requested for fuzzing this changeset to find regressions to the patch(es) in bug 865059.
Flags: needinfo?(bhackett1024)
Attached file Pastebin patch (obsolete) (deleted) —
bhackett requested to use the patch in http://www.pastebin.mozilla.org/2369647 (replicated here) to fuzz again, which has fixes for this bug and bug 867753. This likely found: evalcx("for each(c in print())''", newGlobal('')) Assertion failure: fun(), at ion/CompileInfo.h
Assignee: general → gary
Status: NEW → ASSIGNED
Oops, wrong bug.
Assignee: gary → general
Status: ASSIGNED → NEW
Depends on: 868564
Attached patch Pastebin patch v2 (deleted) — Splinter Review
http://www.pastebin.mozilla.org/2369719 is an updated pastebin patch provided by bhackett to fix the bug in comment 1. (replicated here)
Attachment #744872 - Attachment is obsolete: true
Attached file stack for assertion (deleted) —
function f() {} for (var a = 0; a < 99; a++) { f() } Assertion failure: script->types, at jsinferinlines.h (Pastebin patch v2 applied on m-i rev 99b086e10c8d, tested on 32-bit debug shell) This blocks all further fuzzing on jsfunfuzz.
Attachment #744827 - Attachment is obsolete: true
Summary: Assertion failure: tn->kind < ArrayLength(TryNoteNames), at shell/js.cpp → Various assertions found with patches for bug 865059 and bug 867753
All requested fuzzing here was finished.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: