Closed Bug 479479 Opened 15 years ago Closed 15 years ago

TM: Crash [@ isInt32] or "Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h:119"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 476871

People

(Reporter: gkw, Unassigned)

Details

(4 keywords)

Crash Data

function f() {
    eval("{ for each (NaN in [null, 2, 'q', 2, null]);; }");
}
if(this.watch("NaN", /a/g)) ( '' );
NaN = 1e81;
f();

asserts at Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h:119 in dbg shells with -j and causes a null deref in opt shells with -j.

Is this related to bug 473046?

===

/snip
patching jump at 0x91dffb to target 0x7d0ea8 (was 0x7d0ff8)

Joining type-stable trace to target exit 0x80fa70->0x7cf2ac.
fragment 0x80fa70:
ENTRY: S0 S0 S0 S1 G5 
fragment 0x80fbf0:
ENTRY: S0 S0 S0 S4 G0 
EXIT:  S0 S0 S0 S2 G5 
recording completed at 100a.js:2@18 via closeLoop
Looking for compat peer 2@18, from 0x80fa70 (ip: 0x80ead2, hits=3)
checking vm types 0x80fa70 (ip: 0x80ead2): callee0=O/O this0=O/O stack0=O/O stack1=I/I global0=O/N 
entering trace at 100a.js:2@18, native stack slots: 6 code: 0x7d0f5e
global: 
stack: callee0=object<0x915738:Function> this0=object<0x7fa000:global> stack0=object<0x7fa240:Iterator> stack1=int<2> 
leaving trace at 100a.js:2@21, op=nextiter, lr=0x7cf23c, exitType=5, sp=2, calldepth=0, cycles=35717
Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h:119
Trace/BPT trap
hg bisect reveals:

The first bad revision is:
changeset:   24636:bee9d9de99b1
user:        Jeff Walden
date:        Tue Feb 03 13:56:25 2009 -0800
summary:     Bug 463243 - Assert correct type in JSVAL_TO_* (and vice versa) macros to fail fast when type errors happen.  r=brendan

Before this changeset, it asserts at Assertion failure: JSVAL_TAG(v) == JSVAL_OBJECT, at ../jstracer.cpp:1352

The first bad revision is:
changeset:   21598:52536f3066ff
user:        Andreas Gal
date:        Thu Nov 13 15:58:58 2008 -0800
summary:     Don't flush JIT cache from within the recorder (464403, r=brendan).

Without this changeset 21598 and later changesets, the testcase in comment #0 seems to work as expected, but up to and including changeset 21598, the testcase asserts at Assertion failure: JSVAL_TAG(v) == JSVAL_OBJECT, at ../jstracer.cpp:1352

I'm guessing this should be a regression of bug 464403.
Depends on: 464403
Flags: blocking1.9.1?
Keywords: regression
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Flags: in-testsuite?
For testing purposes, the testcase in comment #0 sometimes morphs to assert at:

Assertion failure: ((jsval) obj & JSVAL_TAGBITS) == JSVAL_OBJECT, at ../jsapi.h:119

as well.
Not a regression of 464403 then, removing wrong assumption dependency.
No longer depends on: 464403
Flags: blocking1.9.1? → blocking1.9.1+
Crash Signature: [@ isInt32]
You need to log in before you can comment on or make changes to this bug.