Closed
Bug 479567
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ JS_CallTracer] or "Assertion failure: thing, at ../jsgc.cpp" with gc, eval, watch, toSource
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Unassigned)
Details
(4 keywords, Whiteboard: [sg:investigate] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
2.27 KB,
text/plain
|
Details |
function f()
{
(eval("(function(){for each (y in [false, false, false]);});"))();
}
this.__defineGetter__("x", gc);
uneval(this.watch("y", this.toSource))
f();
throw x;
asserts at Assertion failure: thing, at ../jsgc.cpp:2631 in dbg js shell with -j, and also causes a null deref in JS_CallTracer in opt js shell with -j.
Nominating blocking1.9.1? because this involves gc.
Verbose output:
/snip
fragment 0x3108a0:
ENTRY: S0 S5 S0 S6 G4
recording completed at 14a.js:3@12 via closeLoop
Looking for compat peer 3@12, from 0x3108a0 (ip: 0x30e2d8, hits=2)
checking vm types 0x3108a0 (ip: 0x30e2d8): callee0=O/O this0=O/N stack0=O/O stack1=B/B global0=S/S
entering trace at 14a.js:3@12, native stack slots: 6 code: 0x264f38
global: string<0x2a2c60>
stack: callee0=object<0x2a5700:Function> this0=stack0=object<0x2a01e0:Iterator> stack1=boolean<0>
leaving trace at 14a.js:3@16, op=ifne, lr=0x2632b8, exitType=3, sp=3, calldepth=0, cycles=61358
string<0x0>
callee0=object<0x2a5700:Function> this0=null<0x0> stack0=object<0x2a01e0:Iterator> stack1=boolean<3> stack2=boolean<0>
Assertion failure: thing, at ../jsgc.cpp:2631
Trace/BPT trapFlags: blocking1.9.1?
|
Reporter | |
Comment 1•15 years ago
|
||
A similar [sg:investigate] bug that was recently fixed is bug 473282.
Whiteboard: [sg:investigate]
|
||
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
|
|
Reporter | |
Comment 2•15 years ago
|
||
WFM with TM tip. How should this be resolved, since it's a blocking1.9.1+ ? (I don't know what fixed this.)
Flags: in-testsuite?
|
||
Comment 3•15 years ago
|
||
fixed by bug 479109 http://hg.mozilla.org/tracemonkey/rev/094c2e9de304
|
|
||
Updated•15 years ago
|
Flags: in-testsuite? → in-testsuite+
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: fixed1.9.1
Resolution: --- → FIXED
Whiteboard: [sg:investigate] → [sg:investigate] fixed-in-tracemonkey
|
|
||
Comment 4•15 years ago
|
||
verified 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
|
||
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
|
|
||
Comment 5•14 years ago
|
||
test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge.
|
||
Updated•13 years ago
|
Crash Signature: [@ JS_CallTracer]
You need to log in
before you can comment on or make changes to this bug.
Description
•