Closed
Bug 473040
Opened 16 years ago
Closed 16 years ago
TM: Crash [@ NativeToValue]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
DUPLICATE
of bug 464096
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files, 1 obsolete file)
__proto__.functional getter= (new Function("gc()")); for each (let x in [new Boolean(true), new Boolean(true), -0, new Boolean(true), -0]) { undefined; } crashes opt at some scary address 0x080cec8f at NativeToValue and asserts debug at: Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp This has been a bug that has proved elusive when trying to reduce on a Mac and in Linux the reduced form has finally been discovered. Security-sensitive because it crashes at a scary address in opt.
Flags: blocking1.9.1?
Reporter | ||
Comment 1•16 years ago
|
||
See bug 464096 for a similar assertion but slightly different testcase.
Reporter | ||
Updated•16 years ago
|
OS: Linux → All
Hardware: x86 → All
Updated•16 years ago
|
Whiteboard: [sg:critical?]
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 2•16 years ago
|
||
#0 js_GC (cx=0x30b870, gckind=GC_NORMAL) at ../jsgc.cpp:3233 #1 0x0001679f in JS_GC (cx=0x30b870) at ../jsapi.cpp:2487 #2 0x00003c7a in GC (cx=0x30b870, argc=0, vp=0x815e20) at ../js.cpp:997 #3 0x000791e0 in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:4996 #4 0x0008a740 in js_Invoke (cx=0x30b870, argc=0, vp=0x815e18, flags=0) at jsinterp.cpp:1336 #5 0x0008a9f6 in js_InternalInvoke (cx=0x30b870, obj=0x26a1c0, fval=2557640, flags=0, argc=0, argv=0x0, rval=0xbfffc6ec) at jsinterp.cpp:1393 #6 0x0008ac57 in js_InternalGetOrSet (cx=0x30b870, obj=0x26a1c0, id=2541124, fval=2557640, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffc6ec) at jsinterp.cpp:1454 #7 0x0009ca93 in js_NativeGet (cx=0x30b870, obj=0x26a1c0, pobj=0x26a020, sprop=0x80fb30, vp=0xbfffc6ec) at ../jsobj.cpp:3732 #8 0x000229fb in array_getProperty (cx=0x30b870, obj=0x26a1c0, id=2541124, vp=0xbfffc6ec) at ../jsarray.cpp:718 #9 0x0008ca85 in CallEnumeratorNext (cx=0x30b870, iterobj=0x26a240, flags=3, rval=0xbfffc6ec) at ../jsiter.cpp:566 #10 0x0008cb95 in js_CallIteratorNext (cx=0x30b870, iterobj=0x26a240, rval=0xbfffc6ec) at ../jsiter.cpp:600 #11 0x00184a53 in js_FastCallIteratorNext (cx=0x30b870, iterobj=0x26a240) at ../jsbuiltins.cpp:258 #12 0x00243fb2 in ?? () #13 0xbfffedb8 in ?? () #14 0x0013f773 in js_MonitorLoopEdge (cx=0x30b870, inlineCallCount=@0xbffff260) at ../jstracer.cpp:3817 #15 0x0006462d in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:3097 #16 0x0008923c in js_Execute (cx=0x30b870, chain=0x26a000, script=0x30d760, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1564 #17 0x0001a65e in JS_ExecuteScript (cx=0x30b870, obj=0x26a000, script=0x30d760, rval=0x0) at ../jsapi.cpp:5083 #18 0x000083c5 in Process (cx=0x30b870, obj=0x26a000, filename=0xbffffa1c "x.js", forceTTY=0) at ../js.cpp:377 #19 0x000096bc in ProcessArgs (cx=0x30b870, obj=0x26a000, argv=0xbffff920, argc=2) at ../js.cpp:749 #20 0x0000a88b in main (argc=2, argv=0xbffff920, envp=0xbffff92c) at ../js.cpp:4321 Same issue here. gc is triggered from on-trace. To check for this break on js_GC and then run the code. If you stop from within trace code, Jason's patch will fix it. Dup of 468782.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•16 years ago
|
Flags: in-testsuite?
Reporter | ||
Comment 3•15 years ago
|
||
$ ./js-dbg-tm-intelmac -j js> __proto__.functional getter= (new Function("gc()")); function anonymous() { gc(); } js> for each (let x in [new Boolean(true), new Boolean(true), -0, new Boolean(true), -0]) { undefined; } Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp:3709 Trace/BPT trap Now asserts another message and seems to work as expected in opt.
Comment 4•15 years ago
|
||
i couldn't reproduce the original issue on tracemonkey with 6475993319c4
Updated•15 years ago
|
Flags: in-testsuite? → in-testsuite+
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Updated•15 years ago
|
Group: core-security
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/46099e1c0fa5 /cvsroot/mozilla/js/tests/js1_8/extensions/regress-473040.js,v <-- regress-473040.js initial revision: 1.1
Updated•13 years ago
|
Crash Signature: [@ NativeToValue]
You need to log in
before you can comment on or make changes to this bug.
Description
•