Closed
Bug 515892
Opened 15 years ago
Closed 15 years ago
Crash [@ js_Interpret] or "Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
People
(Reporter: gkw, Assigned: brendan)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey [ccbr])
Crash Data
Attachments
(1 file)
|
751 bytes,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
eval("for each(let x in[0,0]){#1#}")
crashes js opt shell without -j at js_Interpret at null and asserts js debug shell without -j at Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h:183
===
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 js-opt-tm-darwin 0x0005491a js_Interpret + 23498
1 js-opt-tm-darwin 0x0005e7d1 js_Execute + 385
2 js-opt-tm-darwin 0x0006e59c obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 2204
3 js-opt-tm-darwin 0x0005ef26 js_Invoke + 1110
4 js-opt-tm-darwin 0x00055296 js_Interpret + 25926
5 js-opt-tm-darwin 0x0005e7d1 js_Execute + 385
6 js-opt-tm-darwin 0x0000e1dc JS_ExecuteScript + 60
7 js-opt-tm-darwin 0x00004fa0 Process(JSContext*, JSObject*, char*, int) + 1616
8 js-opt-tm-darwin 0x0000811f main + 879
9 js-opt-tm-darwin 0x0000269b _start + 209
10 js-opt-tm-darwin 0x000025c9 start + 41
Flags: blocking1.9.2?
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 514981:
The first bad revision is:
changeset: 32201:c19b0d06d076
user: Brendan Eich
date: Wed Sep 09 20:21:15 2009 -0700
summary: Bug 514981 - JSStackFrame::sharp{Array,Depth} should be locals allocated due to #n[#=] usage (r=igor).
This is affecting jsfunfuzz significantly.
Blocks: 514981
Whiteboard: [ccbr]
|
Assignee | |
Comment 2•15 years ago
|
||
Sorry for the trouble. I committed this patch just now.
/be
|
|
Assignee | |
Comment 3•15 years ago
|
||
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Whiteboard: [ccbr] → fixed-in-tracemonkey [ccbr]
Target Milestone: --- → mozilla1.9.2
|
||
Updated•15 years ago
|
Attachment #399972 -
Flags: review?(igor) → review+
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
||
Comment 4•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2+ → blocking1.9.2?
|
||
Comment 5•15 years ago
|
||
Did/should this land on mozilla-1.9.2? @js_Interpret is the topcrash on Firefox 3.6b1 by an order of magnitude.
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Updated•15 years ago
|
status1.9.2:
--- → unaffected
|
||
Updated•14 years ago
|
Crash Signature: [@ js_Interpret]
You need to log in
before you can comment on or make changes to this bug.
Description
•