Closed
Bug 656226
Opened 13 years ago
Closed 13 years ago
TI: "Assertion failure: (uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 655950
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, testcase)
o7 = (5).__proto__ function f0(o) { ({ x: function() { return o } }.x().p = function() { x: eval("") }, true) } for (i = 0;;) { f0(o7) } asserts js debug shell on JM changeset fd1abc43d698 with -m and -n at Assertion failure: (uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT, (gdb) bt #0 0xf7fdf430 in __kernel_vsyscall () #1 0xf7fb5ba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #2 0x081fda8d in JS_Assert (s=0x83c791c "(uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT", file=0x83c78a8 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsval.h", ln=500) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsutil.cpp:89 #3 0x0804ad8a in JSVAL_IS_OBJECT_OR_NULL_IMPL (l=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsval.h:500 #4 0x08059ff2 in js::Value::isObjectOrNull (this=0xf76e40b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsvalue.h:514 #5 0x08151e25 in js_ValueToObjectOrNull (cx=0x84e4028, v=..., objp=0xffffb44c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsobj.cpp:6628 #6 0x08151fad in js_ValueToNonNullObject (cx=0x84e4028, v=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsobj.cpp:6669 #7 0x08397c92 in js::Interpret (cx=0x84e4028, entryFrame=0xf76e4080, inlineCallCount=0, interpMode=js::JSINTERP_SAFEPOINT) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsinterp.cpp:4275 #8 0x08354b19 in js_InternalInterpret (returnData=0xf750f070, returnType=0xffff0007, returnReg=0x82b6370, f=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/methodjit/InvokeHelpers.cpp:1621 #9 0x082b6348 in JaegerInterpoline () at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/methodjit/MethodJIT.cpp:152 #10 0x000f4240 in ?? () #11 0x00000000 in ?? ()
Reporter | ||
Comment 1•13 years ago
|
||
Pass the testcase in as a CLI argument to try to reproduce.
Comment 2•13 years ago
|
||
Hmm, can't repro. Was this fixed by bug 655950?
Comment 3•13 years ago
|
||
Don't have a Linux VM installed to confirm, but this hits the busted cast fixed in bug 655950, so I'm guessing that's the problem.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Comment 4•11 years ago
|
||
A testcase for this bug was already added in the original bug (bug 655950).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•