TM: Assertion failure: isNumber(*p) == (t == TT_DOUBLE)

RESOLVED DUPLICATE of bug 502604

Status

()

defect
--
critical
RESOLVED DUPLICATE of bug 502604
10 years ago
9 years ago

People

(Reporter: aaronmt, Unassigned)

Tracking

({assertion, regression, testcase})

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 502604])

Attachments

(1 attachment)

Reporter

Description

10 years ago
TM: Assertion failure:isNumber(*p) == (t == TT_DOUBLE), at
/Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331

#0  JS_Assert (s=0x70 <Address 0x70 out of bounds>, file=0x70 <Address 0x70 out of bounds>, ln=112) at /Users/mozilla/mozilla-central/js/src/jsutil.cpp:69
#1  0x0037d5bf in TraceRecorder::import (this=0x1daf8e50, base=0x15d69d3c, offset=596, p=0x1daeb3b4, t=TT_STRING, prefix=0x402388 "global", index=4, fp=0x0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331
#2  0x00398552 in VisitGlobalSlots<ImportGlobalSlotVisitor> [inlined] () at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2399
#3  0x00398552 in TraceRecorder::import (this=0x1daf8e50, treeInfo=0x1daf8a60, sp=0x15d69d5c, stackSlots=9, ngslots=9, callDepth=1, typeMap=0x126ca5c0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2512
#4  0x00398ff5 in TraceRecorder::TraceRecorder (this=0x1daf8e50, cx=0xaad000, _anchor=0x15d6aaac, _fragment=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, innermostNestedGuard=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1629
#5  0x003994f3 in js_StartRecorder (cx=0xaad000, anchor=0x15d6aaac, f=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, expectedInnerExit=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1648
#6  0x00399877 in js_AttemptToExtendTree (cx=0xaad000, anchor=0x1daf8d00, exitedFrom=0x15a5d8a8, outer=0x15c0c823 "?;\n.?") at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4664
#7  0x0039b17f in js_RecordLoopEdge (cx=0x1daf8e50, r=0x1daf8e90, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4786
#8  0x0039b32a in js_MonitorLoopEdge (cx=0xaad000, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:5439
#9  0x002cc6f9 in js_Interpret (cx=0xaad000) at /Users/mozilla/mozilla-central/js/src/jsinterp.cpp:3944
#10 0x002d07d2 in js_Execute (cx=0xaad000, chain=0x1aa090a0, script=0x15c08000, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1661
...

Occurs on Mac/Windows/Linux 1.9.2

See attached reduced testcase
Reporter

Comment 1

10 years ago
Posted file testcase
Reporter

Updated

10 years ago
Summary: TM: Assertion failure:isNumber(*p) == (t == TT_DOUBLE) → TM: Assertion failure: isNumber(*p) == (t == TT_DOUBLE)
Reporter

Comment 2

10 years ago
Most likely related is bug 502604

Comment 3

10 years ago
David, can you take a look?

Updated

10 years ago
Flags: blocking1.9.1.1?

Comment 4

10 years ago
This is crashing 3.5. 502604 is probably a dup. I suggest blocking 3.5.1 on this at least until we know the cause.

Updated

10 years ago
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 502604
Comment on attachment 387064 [details]
testcase

js testcases should have MIME type text/plain.
Attachment #387064 - Attachment mime type: application/x-javascript → text/plain
I'll be attaching a fully reduced testcase soon - along with autoBisect results.
Severity: normal → critical
Keywords: regression, testcase
Hardware: x86 → All
for each(z in ['', 0, '', '']) {
    for (let x = 0; x < 3; ++x) {
        let y = x;
        print(y || (z *= String))
    }
}

This asserts Assertion failure: isNumber(*p) == (t == TT_DOUBLE), at ../jstracer.cpp:2331 with -j and does not assert without. It does seem to be fixed by the patch in bug 502604.


autoBisect shows this is probably related to bug 452498:

The first bad revision is:
changeset:   26784:2cf0bbe3772a
user:        Brendan Eich
date:        Sun Apr 05 21:17:22 2009 -0700
summary:     upvar2, aka the big one take 2 (452498, r=mrbkap).
Blocks: upvar2
Flags: in-testsuite?
I think the upvar2 relation is incidental.

/be
Flags: blocking1.9.1.1?
Whiteboard: [sg:dupe 502604]
Group: core-security
You need to log in before you can comment on or make changes to this bug.