Closed
Bug 540131
Opened 16 years ago
Closed 16 years ago
TM: Crash [@ js_ValueToString] or [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 540528
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [ccbr][sg:dupe 540528])
try {
(function() {
let(x = (eval("for(y in[0,0,0,0]){}"))) {}
})()
} catch(e) {}
asserts js debug shell with -j on TM tip at Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp:3303 but does not crash on js opt shell.
|
Reporter | |
Updated•16 years ago
|
Summary: "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for → TM: "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for
|
|
Reporter | |
Comment 1•16 years ago
|
||
autoBisect shows this is probably related to bug 495331:
The first bad revision is:
changeset: 37046:910ee7db07de
user: David Mandelin
date: Fri Jan 15 11:32:14 2010 -0800
summary: Bug 495331: trace JSOP_LAMBDA for non-heavyweight, non-null closures, r=jorendorff,dvander
Blocks: 495331
|
|
Reporter | |
Comment 2•16 years ago
|
||
(function() {
for (let z in [true]) {
(new(eval("for(l in[0,0,0,0]){}"))
(((function f(a, b) {
if (a.length == b) {
return (z)
}
f(a, b + 1)
})([,,], 0)), []))
}
})()
crashes js opt 64-bit shell with -j on TM tip at block_getProperty near null and asserts js debug 64-bit shell with -j on TM tip at an identical assertion message. This testcase asserts 32-bit debug shell but does not crash in an opt one.
Summary: TM: "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for → TM: Crash [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for
|
|
Reporter | |
Comment 3•16 years ago
|
||
(function() {
(eval("\
(function() {\
let(e = eval(\"\
for(z=0;z<5;z++){}\
\"))\
(function(){\
x = e\
})()\
})\
"))()
})();
print(x)
crashes js opt 32-bit shell with -j on TM tip at js_ValueToString at 0xe401005a (scary address) and asserts js debug 32-bit shell with -j on TM tip at an identical assertion.
Turning security-sensitive because of this scary address.
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000e401005a
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 js-opt-32-tm-darwin 0x000c981c js_ValueToString + 108
1 js-opt-32-tm-darwin 0x00003c16 Print(JSContext*, unsigned int, long*) + 166
2 js-opt-32-tm-darwin 0x00057726 js_Interpret + 36646
3 js-opt-32-tm-darwin 0x0005e4bc js_Execute + 444
4 js-opt-32-tm-darwin 0x0000d72c JS_ExecuteScript + 60
5 js-opt-32-tm-darwin 0x000044b8 Process(JSContext*, JSObject*, char*, int) + 1336
6 js-opt-32-tm-darwin 0x00008536 main + 1734
7 js-opt-32-tm-darwin 0x0000245d _start + 208
8 js-opt-32-tm-darwin 0x0000238c start + 40
Group: core-security
Summary: TM: Crash [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp" with try...catch, eval, for → TM: Crash [@ js_ValueToString] or [@ block_getProperty] (64-bit) or "Assertion failure: !js_IsActiveWithOrBlock(cx, fp->scopeChain, 0), at ../jsinterp.cpp"
Whiteboard: [ccbr][sg:critical?]
|
|
Reporter | |
Comment 4•16 years ago
|
||
(In reply to comment #2)
> (function() {
> for (let z in [true]) {
> (new(eval("for(l in[0,0,0,0]){}"))
> (((function f(a, b) {
> if (a.length == b) {
> return (z)
> }
> f(a, b + 1)
> })([,,], 0)), []))
> }
> })()
>
> crashes js opt 64-bit shell with -j on TM tip at block_getProperty near null
> and asserts js debug 64-bit shell with -j on TM tip at an identical assertion
> message. This testcase asserts 32-bit debug shell but does not crash in an opt
> one.
Crash stack:
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000000e
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 js-opt-64-tm-darwin 0x0000000100064bcd block_getProperty(JSContext*, JSObject*, long, long*) + 29
1 js-opt-64-tm-darwin 0x000000010006c091 js_NativeGet + 433
2 js-opt-64-tm-darwin 0x0000000100055b9e js_Interpret + 33726
3 js-opt-64-tm-darwin 0x000000010005d5cb js_Execute + 523
4 js-opt-64-tm-darwin 0x000000010000cbe0 JS_ExecuteScript + 32
5 js-opt-64-tm-darwin 0x0000000100003f9d Process(JSContext*, JSObject*, char*, int) + 1213
6 js-opt-64-tm-darwin 0x0000000100007961 main + 1441
7 js-opt-64-tm-darwin 0x0000000100002206 _start + 224
8 js-opt-64-tm-darwin 0x0000000100002125 start + 33
|
||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
||
Updated•15 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 540528]
|
||
Comment 6•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug540131-2.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•