Closed Bug 656226 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: (uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT,"

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 655950

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

o7 = (5).__proto__
function f0(o) {
    ({
        x: function() {
            return o
        }
    }.x().p = function() {
        x: eval("")
    }, true)
}
for (i = 0;;) {
    f0(o7)
}

asserts js debug shell on JM changeset fd1abc43d698 with -m and -n at Assertion failure: (uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT,

(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fb5ba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081fda8d in JS_Assert (s=0x83c791c "(uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT", file=0x83c78a8 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsval.h", ln=500)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsutil.cpp:89
#3  0x0804ad8a in JSVAL_IS_OBJECT_OR_NULL_IMPL (l=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsval.h:500
#4  0x08059ff2 in js::Value::isObjectOrNull (this=0xf76e40b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsvalue.h:514
#5  0x08151e25 in js_ValueToObjectOrNull (cx=0x84e4028, v=..., objp=0xffffb44c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsobj.cpp:6628
#6  0x08151fad in js_ValueToNonNullObject (cx=0x84e4028, v=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsobj.cpp:6669
#7  0x08397c92 in js::Interpret (cx=0x84e4028, entryFrame=0xf76e4080, inlineCallCount=0, interpMode=js::JSINTERP_SAFEPOINT)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsinterp.cpp:4275
#8  0x08354b19 in js_InternalInterpret (returnData=0xf750f070, returnType=0xffff0007, returnReg=0x82b6370, f=...)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/methodjit/InvokeHelpers.cpp:1621
#9  0x082b6348 in JaegerInterpoline () at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/methodjit/MethodJIT.cpp:152
#10 0x000f4240 in ?? ()
#11 0x00000000 in ?? ()
Pass the testcase in as a CLI argument to try to reproduce.
Hmm, can't repro.  Was this fixed by bug 655950?
Don't have a Linux VM installed to confirm, but this hits the busted cast fixed in bug 655950, so I'm guessing that's the problem.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was already added in the original bug (bug 655950).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.