Closed Bug 561383 Opened 14 years ago Closed 14 years ago

Crash [@ js_Interpret] or "Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h" with eval

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 561011
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [ccbr])

Crash Data

try {
    throw #1#
    for (c in [eval[o]]) {}
} catch(e) {}
for (var a = 0; a < 1; a++) {
    with(eval) {
        for (var b = 0; b < 1; b++) {}
    }
}

(pass the testcase in as a CLI argument to see the issue)

crashes js opt shell on TM tip without -j at js_Interpret and asserts js debug shell on TM tip without -j at Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h:183

===

js opt shell stack:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00000000000000a8
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x0005b713 js_Interpret + 25763
1   js-opt-32-tm-darwin           	0x00064fa3 js_Execute + 531
2   js-opt-32-tm-darwin           	0x0000faac JS_ExecuteScript + 60
3   js-opt-32-tm-darwin           	0x0000546f Process(JSContext*, JSObject*, char*, int) + 1647
4   js-opt-32-tm-darwin           	0x000094aa main + 1626
5   js-opt-32-tm-darwin           	0x00002f9d _start + 208
6   js-opt-32-tm-darwin           	0x00002ecc start + 40
autoBisect shows this is probably related to bug 514981:

The first bad revision is:
changeset:   32201:c19b0d06d076
user:        Brendan Eich
date:        Wed Sep 09 20:21:15 2009 -0700
summary:     Bug 514981 - JSStackFrame::sharp{Array,Depth} should be locals allocated due to #n[#=] usage (r=igor).
Blocks: 514981
This crashes my Mac 64-bit m-c nightly, I think it might crash a 32-bit one too. Setting s-s.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a5pre) Gecko/20100420 Minefield/3.7a5pre
Group: core-security
Notice sharp vs. var-in-with.

/be
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.