Closed
Bug 963077
Opened 11 years ago
Closed 11 years ago
Assertion failure: hasScript(), at c:\users\mozilla\debug-builds\mozilla-central\js\src\jsfun.h:337
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla29
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | unaffected |
| firefox28 | --- | unaffected |
| firefox29 | --- | fixed |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.4 | --- | fixed |
People
(Reporter: cbook, Assigned: till)
References
()
Details
(Keywords: assertion, intermittent-failure)
Attachments
(3 files)
found via bughunter
steps to reproduce:
-> Trunk Debug Build from m-c tip on win7
-> Load http://www.bitdefender.co.uk/solutions/total-security.html
--> Assertion failure after a few seconds
working on a regression range and testcase
|
Assignee | |
Comment 1•11 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #0)
> working on a regression range and testcase
This almost certainly is caused by bug 886193. I'm looking into it (though I can't currently reproduce), but I don't think it's necessarily sec-critical.
|
|
Assignee | |
Comment 2•11 years ago
|
||
I just rebuilt, and can't reproduce at all. I'm on OS X, though. Reliable STR would be great.
|
Reporter | |
Comment 3•11 years ago
|
||
|
|
Reporter | |
Comment 4•11 years ago
|
||
|
|
Reporter | |
Comment 5•11 years ago
|
||
(In reply to Till Schneidereit [:till] from comment #2)
> I just rebuilt, and can't reproduce at all. I'm on OS X, though. Reliable
> STR would be great.
hm seems according to bughunter that this happens on linux and windows but also no results/crashes for mac OS X so far and steps to reproduce from comment #0 still works, only that i had to reload the site sometimes to crash
|
|
Assignee | |
Comment 6•11 years ago
|
||
Ok, I'll try reproducing on Linux, then. Thanks for the further info.
|
|
Assignee | |
Comment 7•11 years ago
|
||
And of course I can't reproduce on Linux (Fedora 19 64bit), either
|
|
Assignee | |
Comment 8•11 years ago
|
||
Turns out js_fun_apply uses the callee before Invoke is called and ensures that the function is delazified. This fixes that, and, judging by the stack traces, should also fix the crashes.
Attachment #8365091 -
Flags: review?(jdemooij)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → till
Status: NEW → ASSIGNED
|
||
Comment 9•11 years ago
|
||
Comment on attachment 8365091 [details] [diff] [review]
ensure function is non-lazy before getting its arguments in js_fun_apply.
Review of attachment 8365091 [details] [diff] [review]:
-----------------------------------------------------------------
Good catch.
Attachment #8365091 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 10•11 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/9a565e0bd847
Jandem, thanks for the quick review; Tomcat, thanks for the stack traces and analysis. I didn't manage to reproduce the problem, but the stack traces gave me enough information in the end.
OS: Windows 7 → All
Hardware: x86 → All
|
|
Assignee | |
Comment 11•11 years ago
|
||
Bustage follow-up:
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/d319f9ddf227
|
||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9a565e0bd847
https://hg.mozilla.org/mozilla-central/rev/d319f9ddf227
Blocks: 886193
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.4:
--- → fixed
status-firefox27:
--- → unaffected
status-firefox28:
--- → unaffected
status-firefox29:
--- → fixed
status-firefox-esr24:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•