Closed Bug 502714 Opened 14 years ago Closed 14 years ago

TM: Assertion failure: isNumber(*p) == (t == TT_DOUBLE)

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 502604

People

(Reporter: aaronmt, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:dupe 502604])

Attachments

(1 file)

TM: Assertion failure:isNumber(*p) == (t == TT_DOUBLE), at
/Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331

#0  JS_Assert (s=0x70 <Address 0x70 out of bounds>, file=0x70 <Address 0x70 out of bounds>, ln=112) at /Users/mozilla/mozilla-central/js/src/jsutil.cpp:69
#1  0x0037d5bf in TraceRecorder::import (this=0x1daf8e50, base=0x15d69d3c, offset=596, p=0x1daeb3b4, t=TT_STRING, prefix=0x402388 "global", index=4, fp=0x0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331
#2  0x00398552 in VisitGlobalSlots<ImportGlobalSlotVisitor> [inlined] () at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2399
#3  0x00398552 in TraceRecorder::import (this=0x1daf8e50, treeInfo=0x1daf8a60, sp=0x15d69d5c, stackSlots=9, ngslots=9, callDepth=1, typeMap=0x126ca5c0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2512
#4  0x00398ff5 in TraceRecorder::TraceRecorder (this=0x1daf8e50, cx=0xaad000, _anchor=0x15d6aaac, _fragment=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, innermostNestedGuard=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1629
#5  0x003994f3 in js_StartRecorder (cx=0xaad000, anchor=0x15d6aaac, f=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, expectedInnerExit=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1648
#6  0x00399877 in js_AttemptToExtendTree (cx=0xaad000, anchor=0x1daf8d00, exitedFrom=0x15a5d8a8, outer=0x15c0c823 "?;\n.?") at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4664
#7  0x0039b17f in js_RecordLoopEdge (cx=0x1daf8e50, r=0x1daf8e90, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4786
#8  0x0039b32a in js_MonitorLoopEdge (cx=0xaad000, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:5439
#9  0x002cc6f9 in js_Interpret (cx=0xaad000) at /Users/mozilla/mozilla-central/js/src/jsinterp.cpp:3944
#10 0x002d07d2 in js_Execute (cx=0xaad000, chain=0x1aa090a0, script=0x15c08000, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1661
...

Occurs on Mac/Windows/Linux 1.9.2

See attached reduced testcase
Attached file testcase
Summary: TM: Assertion failure:isNumber(*p) == (t == TT_DOUBLE) → TM: Assertion failure: isNumber(*p) == (t == TT_DOUBLE)
Most likely related is bug 502604
David, can you take a look?
Flags: blocking1.9.1.1?
This is crashing 3.5. 502604 is probably a dup. I suggest blocking 3.5.1 on this at least until we know the cause.
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Comment on attachment 387064 [details]
testcase

js testcases should have MIME type text/plain.
Attachment #387064 - Attachment mime type: application/x-javascript → text/plain
I'll be attaching a fully reduced testcase soon - along with autoBisect results.
Severity: normal → critical
Keywords: regression, testcase
Hardware: x86 → All
for each(z in ['', 0, '', '']) {
    for (let x = 0; x < 3; ++x) {
        let y = x;
        print(y || (z *= String))
    }
}

This asserts Assertion failure: isNumber(*p) == (t == TT_DOUBLE), at ../jstracer.cpp:2331 with -j and does not assert without. It does seem to be fixed by the patch in bug 502604.


autoBisect shows this is probably related to bug 452498:

The first bad revision is:
changeset:   26784:2cf0bbe3772a
user:        Brendan Eich
date:        Sun Apr 05 21:17:22 2009 -0700
summary:     upvar2, aka the big one take 2 (452498, r=mrbkap).
Blocks: upvar2
Flags: in-testsuite?
I think the upvar2 relation is incidental.

/be
Flags: blocking1.9.1.1?
Whiteboard: [sg:dupe 502604]
Group: core-security
You need to log in before you can comment on or make changes to this bug.