Closed Bug 1141338 Opened 9 years ago Closed 9 years ago

Crash [@ JS::ObjectOpResult::reportStrictErrorOrWarning] or Assertion failure: (objBits >> 47) == 0, at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1141154
Tracking Flags:
Tracking Status
firefox39 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

stack
1.96 KB, text/plain
Details 
z = [];
m = evalcx("");
Object.freeze(m)
for each(l in [{}, {}]) {
  m.s = ""
}

asserts js debug shell on m-c changeset fecf1afb0830 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: (objBits >> 47) == 0, at dist/include/js/Value.h with variants crashing at JS::ObjectOpResult::reportStrictErrorOrWarning.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh ~/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r fecf1afb0830

Opt builds crash similar to bug 1141154, except that this testcase does not involve Debugger.

Jason, is bug 1113369 a likely regressor?
Flags: needinfo?(jorendorff)
Attached file stack 
(lldb) bt
* thread #1: tid = 0x17ab36, 0x000000010001bcdb js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::Value::setObject(JSObject&) [inlined] OBJECT_TO_JSVAL_IMPL(obj=<unavailable>) + 150 at Value.h:829, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010001bcdb js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::Value::setObject(JSObject&) [inlined] OBJECT_TO_JSVAL_IMPL(obj=<unavailable>) + 150 at Value.h:829
    frame #1: 0x000000010001bc45 js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::Value::setObject(this=<unavailable>, obj=<unavailable>) + 53 at Value.h:1057
    frame #2: 0x000000010074623f js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::ObjectOpResult::reportStrictErrorOrWarning(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool) [inlined] JS::ObjectValue(obj=<unavailable>) + 5 at Value.h:1474
    frame #3: 0x000000010074623a js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::ObjectOpResult::reportStrictErrorOrWarning(this=0x00007fff5fbfe8f0, cx=0x0000000101f02740, strict=<unavailable>, obj=<unavailable>, id=<unavailable>) + 170 at jsapi.cpp:151
(lldb)
Could be a dup of bug 1141154.
Yeah, the patch for bug 1141154 seems to fix this.
Depends on: 1141154
I added the test case in comment 0 to my patch in bug 1141154.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: