Closed Bug 520511 Opened 15 years ago Closed 15 years ago

Crash [@ js_PutBlockObject] or [@ 0x1aecdd50] or "Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [ccbr] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

testcase
1.18 KB, text/plain
Details
for (b = 0; b < 1; b++) { this.watch("x", eval) } __defineGetter__("x", gc); var f = (function () { __defineSetter__("x", function () {}) }); for (i = 0; i < 1; i++) {} f(); for (let a = 0; a < 1; a++) x = 1 crashes js opt shell on TM tip at js_PutBlockObject near null and asserts dbg shell at Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h:183 autoBisecting soon... Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x000000000000001c Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x00068cb3 js_PutBlockObject + 35 1 js-opt-tm-darwin 0x00057250 js_Interpret + 37040 2 js-opt-tm-darwin 0x0005df1a js_Execute + 362 3 js-opt-tm-darwin 0x0000d52c JS_ExecuteScript + 60 4 js-opt-tm-darwin 0x000040b8 __ZL7ProcessP9JSContextP8JSObjectPci + 1336 5 js-opt-tm-darwin 0x00008174 main + 2212 6 js-opt-tm-darwin 0x0000204b _start + 209 7 js-opt-tm-darwin 0x00001f79 start + 41
The assert/crash occurs without -j. autoBisect shows this is probably related to bug 495325: The first bad revision is: changeset: 33133:de72243414cd user: Blake Kaplan date: Mon Aug 17 18:08:20 2009 -0700 summary: Bug 495325 - Follow ES about indirect eval being global eval. r=brendan/igor
Blocks: 495325
I have a almost-fully-reduced-testcase that asserts identically but crashes at a scary location.
Group: core-security
Attached file testcase
This crashes opt js shell without -j: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000001aecdd50 Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x000c1b42 JSScope::searchTable(long, bool) + 50 1 js-opt-tm-darwin 0x0006ba14 js_LookupPropertyWithFlags + 164 2 js-opt-tm-darwin 0x0006d8e1 js_FindIdentifierBase + 161 3 js-opt-tm-darwin 0x000513da js_Interpret + 11370 4 js-opt-tm-darwin 0x0005e68c js_Execute + 444 5 js-opt-tm-darwin 0x0000d57c JS_ExecuteScript + 60 6 js-opt-tm-darwin 0x000041b5 __ZL7ProcessP9JSContextP8JSObjectPci + 1605 7 js-opt-tm-darwin 0x000081a4 main + 2212 8 js-opt-tm-darwin 0x0000203b _start + 209 9 js-opt-tm-darwin 0x00001f69 start + 41 and also asserts at Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h:183
Summary: Crash [@ js_PutBlockObject] or "Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h" → Crash [@ js_PutBlockObject] or [@ 0x1aecdd50] or "Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h"
http://hg.mozilla.org/tracemonkey/rev/2581d8d91679
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/2581d8d91679
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Blocks: 531675
Crash Signature: [@ js_PutBlockObject] [@ 0x1aecdd50]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: