Closed Bug 540133 Opened 15 years ago Closed 15 years ago

TM: Crash [@ js_GetMethod] or "Assertion failure: !JSVAL_IS_PRIMITIVE(regs.sp[-2]), at ../jsops.cpp" with gc

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 540528
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:dupe 540528])

Crash Data

(function() {
  var x;
  eval("for (x in (gc)()) for each(e in [0]) { print }")
})()

crashes js opt shell with -j on TM tip at js_GetMethod and asserts js debug shell with -j on TM tip at Assertion failure: !JSVAL_IS_PRIMITIVE(regs.sp[-2]), at ../jsops.cpp:489

Turning security-sensitive because the testcase involves gc. Assuming [sg:critical?] just-in-case.

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000001
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x0006e753 js_GetMethod + 51
1   js-opt-32-tm-darwin           	0x0000d713 JS_GetMethodById + 51
2   js-opt-32-tm-darwin           	0x00060430 js_CallIteratorNext + 80
3   js-opt-32-tm-darwin           	0x00050c38 js_Interpret + 9272
4   js-opt-32-tm-darwin           	0x0005e4bc js_Execute + 444
5   js-opt-32-tm-darwin           	0x00072891 obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 2369
6   js-opt-32-tm-darwin           	0x0005ec15 js_Invoke + 1093
7   js-opt-32-tm-darwin           	0x000549dd js_Interpret + 25053
8   js-opt-32-tm-darwin           	0x0005e4bc js_Execute + 444
9   js-opt-32-tm-darwin           	0x0000d76c JS_ExecuteScript + 60
10  js-opt-32-tm-darwin           	0x000044f8 Process(JSContext*, JSObject*, char*, int) + 1336
11  js-opt-32-tm-darwin           	0x00008576 main + 1734
12  js-opt-32-tm-darwin           	0x0000249d _start + 208
13  js-opt-32-tm-darwin           	0x000023cc start + 40
Whiteboard: [sg:critical?] → [ccbr][sg:critical?]
autoBisect shows this is probably related to bug 495331:

The first bad revision is:
changeset:   37046:910ee7db07de
user:        David Mandelin
date:        Fri Jan 15 11:32:14 2010 -0800
summary:     Bug 495331: trace JSOP_LAMBDA for non-heavyweight, non-null closures, r=jorendorff,dvander
Blocks: 495331
Assignee: general → dmandelin
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 540528]
Crash Signature: [@ js_GetMethod]
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug540133.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.