Closed Bug 1078194 Opened 10 years ago Closed 10 years ago

Assertion failure: !baseArg->isDependent(), at /mozilla/builds/nightly/mozilla/js/src/vm/String-inl.h:168

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: cbook, Assigned: bhackett1024)

References

(
URL
)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

Exception Analysis from windbg
5.92 KB, text/plain
Details
testcase
11.03 KB, text/html
Details 
Found via bughunter:

Bughunter reports this crash for all platforms and was able to reproduce on win 7 debug 

Steps to reproduce:
Load http://www.bbc.co.uk/news/uk-29438428
-> Windows 7 Trunk Debug from today result in :

Assertion failure: !baseArg->isDependent(), at /mozilla/builds/nightly/mozilla/js/src/vm/String-inl.h:168

0:000> g
(a28.108): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0000003a ecx=6866e0c2 edx=00000040 esi=00000002 edi=00000004
eip=655a30e4 esp=003cd988 ebp=003cd9cc iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
mozjs!JSDependentString::new_+0x64:
655a30e4 c705000000007b000000 mov dword ptr ds:[0],7Bh ds:0023:00000000=????????
0:000> ~* kp

.  0  Id: a28.108 Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr  
003cd9cc 6556fdb3 mozjs!JSDependentString::new_(class js::ExclusiveContext * cx = 0x08b2aef0, class JSLinearString * baseArg = 0x0f0894d0, unsigned int start = 0x4f, unsigned int length = 4)+0x64 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string-inl.h @ 168]
003cda10 653ea184 mozjs!js::NewDependentString(struct JSContext * cx = 0x08b2aef0, class JSString * baseArg = 0x0f089500, unsigned int start = 0, unsigned int length = 4)+0x123 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\string.cpp @ 903]
003cda80 6538a3ac mozjs!DoSubstr(struct JSContext * cx = 0x08b2aef0, class JSString * str = 0x0f089500, unsigned int begin = 0, unsigned int len = 4)+0x2b4 [c:\users\mozilla\debug-builds\mozilla-central\js\src\jsstr.cpp @ 628]
003cdb08 654d3b64 mozjs!js::str_substring(struct JSContext * cx = 0x08b2aef0, unsigned int argc = 2, class JS::Value * vp = 0x03edc310)+0x24c [c:\users\mozilla\debug-builds\mozilla-central\js\src\jsstr.cpp @ 681]
003cdb28 654f4b98 mozjs!js::CallJSNative(struct JSContext * cx = 0x08b2aef0, <function> * native = 0x6538a160, class JS::CallArgs * args = 0x003cdda8)+0x64 [c:\users\mozilla\debug-builds\mozilla-central\js\src\jscntxtinlines.h @ 231]
003cdd9c 654ec94d mozjs!js::Invoke(struct JSContext * cx = 0x08b2aef0, class JS::CallArgs args = class JS::CallArgs, js::MaybeConstruct construct = NO_CONSTRUCT (0n0))+0x328 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\interpreter.cpp @ 482]
003ce9e4 654f947f mozjs!Interpret(struct JSContext * cx = 0x08b2aef0, class js::RunState * state = 0x003cea50)+0x8e4d [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\interpreter.cpp @ 2547]
003cea3c 654dfb91 mozjs!js::RunScript(struct JSContext * cx = 0x08b2aef0, class js::RunState * state = 0x003cea50)+0x21f [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\interpreter.cpp @ 432]
003ceabc 654df96f mozjs!js::ExecuteKernel(struct JSContext * cx = 0x08b2aef0, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, class JSObject * scopeChainArg = 0x093b61f0, class JS::Value * thisv = 0x003ceaf0, js::ExecuteType type = EXECUTE_GLOBAL (0n1), class js::AbstractFramePtr evalInFrame = class js::AbstractFramePtr, class JS::Value * result = 0x00000000)+0x201 [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\interpreter.cpp @ 638]
003ceb18 6533f683 mozjs!js::Execute(struct JSContext * cx = 0x08b2aef0, class JS::Handle<JSScript *> script = class JS::Handle<JSScript *>, class JSObject * scopeChainArg = 0x093b61f0, class JS::Value * rval = 0x00000000)+0x1bf [c:\users\mozilla\debug-builds\mozilla-central\js\src\vm\interpreter.cpp @ 675]
003cebf0 6533f95a mozjs!Evaluate(struct JSContext * cx = 0x08b2aef0, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, class JS::ReadOnlyCompileOptions * optionsArg = 0x003ced70, class JS::SourceBufferHolder * srcBuf = 0x003cef00, class JS::Value * rval = 0x00000000)+0x223 [c:\users\mozilla\debug-builds\mozilla-central\js\src\jsapi.cpp @ 4795]
Component: JavaScript Engine: JIT → JavaScript Engine

    
  
Assignee: nobody → bhackett1024

    
  
Depends on: 1066828

    
  
Blocks: 1066828
No longer depends on: 1066828

    
    

    
  

      
      
      
      

        Attached file
          
        testcase
      

    


  

    
  
Keywords: testcase

    
    

    
  
This should be fixed by bug 1078871.
Depends on: 1078871

    
    

    
  
(In reply to Brian Hackett (:bhackett) from comment #3)
> This should be fixed by bug 1078871.

indeed!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: