Closed
Bug 645991
Opened 13 years ago
Closed 13 years ago
TI: Assertion failure: top->isType(JSVAL_TYPE_OBJECT) // Crash @ [JSString::isLinear]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 645629
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
The following code crashes on TI tip when run with -m -n -a (tested on 64 bit):
CompareSplit( "hello", "hellothere" );
CompareSplit( new String("hello" ) );
function CompareSplit( string, separator ) {
split_1 = string.split( separator );
while (true ) {
}
}
0x0000000000412d02 in JSString::isLinear (this=0x0) at ./jsstr.h:283
283 return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS;
(gdb) bt
#0 0x0000000000412d02 in JSString::isLinear (this=0x0) at ./jsstr.h:283
#1 0x0000000000412e0a in JSLinearString::chars (this=0x0) at ./jsstr.h:407
#2 0x000000000051d4df in js_CheckForStringIndex (id={asBits = 0}) at jsobj.cpp:4578
#3 0x000000000051f7fc in js_GetPropertyHelperWithShapeInline (cx=0xebfbe0, obj=0x7fe891a10058, receiver=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30,
shapeOut=0x7fffe6bb2e68, holderOut=0x7fffe6bb2e60) at jsobj.cpp:5437
#4 0x000000000051fcd3 in js_GetPropertyHelperInline (cx=0xebfbe0, obj=0x7fe891a10058, receiver=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30) at jsobj.cpp:5545
#5 0x000000000051fd21 in js_GetPropertyHelper (cx=0xebfbe0, obj=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30) at jsobj.cpp:5551
#6 0x000000000077de91 in js::mjit::stubs::CallProp (f=@0x7fffe6bb2fa0, origAtom=0x0) at ./methodjit/StubCalls.cpp:2131
When omitting the "while (true) {}" in the code, the assertion pops up instead. This could be related or duplicate to 645985.
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•