Closed
Bug 517076
Opened 15 years ago
Closed 15 years ago
Crash [@ js_CallIteratorNext] or "Assertion failure: STOBJ_GET_CLASS(obj) != &js_BlockClass, at ../jsscope.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: brendan)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey [ccbr])
Crash Data
Attachments
(1 file)
|
748 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
(Function("\
for (var a = 0; a < 2; a++) {\
let z;\
switch (#1=/x/) {}\
}\
"))()
asserts js dbg shell without -j on TM tip at Assertion failure: STOBJ_GET_CLASS(obj) != &js_BlockClass, at ../jsscope.cpp:103
autoBisect coming up later...
Flags: blocking1.9.2?
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 514981:
The first bad revision is:
changeset: 32201:c19b0d06d076
user: Brendan Eich
date: Wed Sep 09 20:21:15 2009 -0700
summary: Bug 514981 - JSStackFrame::sharp{Array,Depth} should be locals allocated due to #n[#=] usage (r=igor).
Blocks: 514981
|
||
Comment 2•15 years ago
|
||
Blocks a non-blocking bug that's not on 1.9.2. -'ing for blocking 1.9.2.
Flags: blocking1.9.2? → blocking1.9.2-
|
|
Reporter | |
Comment 3•15 years ago
|
||
(Function("for(b in[0,0,0]) let(N=#0=/x/,d) (function(){})"))()
crashes opt builds without -j on TM tip at js_CallIteratorNext near null.
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
Crashed Thread: 0
Thread 0 Crashed:
0 js-opt-tm-darwin 0x0005fda2 js_CallIteratorNext + 18
1 js-opt-tm-darwin 0x000543eb js_Interpret + 25147
2 js-opt-tm-darwin 0x0005df2a js_Execute + 362
3 js-opt-tm-darwin 0x0000d54c JS_ExecuteScript + 60
4 js-opt-tm-darwin 0x000040d8 __ZL7ProcessP9JSContextP8JSObjectPci + 1336
5 js-opt-tm-darwin 0x00008194 main + 2212
6 js-opt-tm-darwin 0x0000206b _start + 209
7 js-opt-tm-darwin 0x00001f99 start + 41
Keywords: crash
Summary: "Assertion failure: STOBJ_GET_CLASS(obj) != &js_BlockClass, at ../jsscope.cpp" → Crash [@ js_CallIteratorNext] or "Assertion failure: STOBJ_GET_CLASS(obj) != &js_BlockClass, at ../jsscope.cpp"
|
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [ccbr]
|
|
Reporter | |
Comment 4•15 years ago
|
||
(In reply to comment #2)
> Blocks a non-blocking bug that's not on 1.9.2. -'ing for blocking 1.9.2.
Renom blocking1.9.2? because the fingered bug 514981 has been nominated blocking1.9.2?
Flags: blocking1.9.2- → blocking1.9.2?
|
Assignee | |
Comment 6•15 years ago
|
||
Gonna commit this r=me ASAP.
/be
|
|
Assignee | |
Comment 7•15 years ago
|
||
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Whiteboard: [ccbr] → fixed-in-tracemonkey [ccbr]
|
||
Comment 8•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2+ → blocking1.9.2-
|
||
Updated•14 years ago
|
Crash Signature: [@ js_CallIteratorNext]
You need to log in
before you can comment on or make changes to this bug.
Description
•