Closed Bug 479479 Opened 16 years ago Closed 16 years ago

TM: Crash [@ isInt32] or "Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h:119"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 476871

People

(Reporter: gkw, Unassigned)

Details

(4 keywords)

Crash Data

function f() { eval("{ for each (NaN in [null, 2, 'q', 2, null]);; }"); } if(this.watch("NaN", /a/g)) ( '' ); NaN = 1e81; f(); asserts at Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h:119 in dbg shells with -j and causes a null deref in opt shells with -j. Is this related to bug 473046? === /snip patching jump at 0x91dffb to target 0x7d0ea8 (was 0x7d0ff8) Joining type-stable trace to target exit 0x80fa70->0x7cf2ac. fragment 0x80fa70: ENTRY: S0 S0 S0 S1 G5 fragment 0x80fbf0: ENTRY: S0 S0 S0 S4 G0 EXIT: S0 S0 S0 S2 G5 recording completed at 100a.js:2@18 via closeLoop Looking for compat peer 2@18, from 0x80fa70 (ip: 0x80ead2, hits=3) checking vm types 0x80fa70 (ip: 0x80ead2): callee0=O/O this0=O/O stack0=O/O stack1=I/I global0=O/N entering trace at 100a.js:2@18, native stack slots: 6 code: 0x7d0f5e global: stack: callee0=object<0x915738:Function> this0=object<0x7fa000:global> stack0=object<0x7fa240:Iterator> stack1=int<2> leaving trace at 100a.js:2@21, op=nextiter, lr=0x7cf23c, exitType=5, sp=2, calldepth=0, cycles=35717 Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h:119 Trace/BPT trap
hg bisect reveals: The first bad revision is: changeset: 24636:bee9d9de99b1 user: Jeff Walden date: Tue Feb 03 13:56:25 2009 -0800 summary: Bug 463243 - Assert correct type in JSVAL_TO_* (and vice versa) macros to fail fast when type errors happen. r=brendan Before this changeset, it asserts at Assertion failure: JSVAL_TAG(v) == JSVAL_OBJECT, at ../jstracer.cpp:1352 The first bad revision is: changeset: 21598:52536f3066ff user: Andreas Gal date: Thu Nov 13 15:58:58 2008 -0800 summary: Don't flush JIT cache from within the recorder (464403, r=brendan). Without this changeset 21598 and later changesets, the testcase in comment #0 seems to work as expected, but up to and including changeset 21598, the testcase asserts at Assertion failure: JSVAL_TAG(v) == JSVAL_OBJECT, at ../jstracer.cpp:1352 I'm guessing this should be a regression of bug 464403.
Depends on: 464403
Flags: blocking1.9.1?
Keywords: regression
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Flags: in-testsuite?
For testing purposes, the testcase in comment #0 sometimes morphs to assert at: Assertion failure: ((jsval) obj & JSVAL_TAGBITS) == JSVAL_OBJECT, at ../jsapi.h:119 as well.
Not a regression of 464403 then, removing wrong assumption dependency.
No longer depends on: 464403
Flags: blocking1.9.1? → blocking1.9.1+
Crash Signature: [@ isInt32]
You need to log in before you can comment on or make changes to this bug.