Closed
Bug 540133
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ js_GetMethod] or "Assertion failure: !JSVAL_IS_PRIMITIVE(regs.sp[-2]), at ../jsops.cpp" with gc
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 540528
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:dupe 540528])
Crash Data
(function() {
var x;
eval("for (x in (gc)()) for each(e in [0]) { print }")
})()
crashes js opt shell with -j on TM tip at js_GetMethod and asserts js debug shell with -j on TM tip at Assertion failure: !JSVAL_IS_PRIMITIVE(regs.sp[-2]), at ../jsops.cpp:489
Turning security-sensitive because the testcase involves gc. Assuming [sg:critical?] just-in-case.
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000001
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 js-opt-32-tm-darwin 0x0006e753 js_GetMethod + 51
1 js-opt-32-tm-darwin 0x0000d713 JS_GetMethodById + 51
2 js-opt-32-tm-darwin 0x00060430 js_CallIteratorNext + 80
3 js-opt-32-tm-darwin 0x00050c38 js_Interpret + 9272
4 js-opt-32-tm-darwin 0x0005e4bc js_Execute + 444
5 js-opt-32-tm-darwin 0x00072891 obj_eval(JSContext*, JSObject*, unsigned int, long*, long*) + 2369
6 js-opt-32-tm-darwin 0x0005ec15 js_Invoke + 1093
7 js-opt-32-tm-darwin 0x000549dd js_Interpret + 25053
8 js-opt-32-tm-darwin 0x0005e4bc js_Execute + 444
9 js-opt-32-tm-darwin 0x0000d76c JS_ExecuteScript + 60
10 js-opt-32-tm-darwin 0x000044f8 Process(JSContext*, JSObject*, char*, int) + 1336
11 js-opt-32-tm-darwin 0x00008576 main + 1734
12 js-opt-32-tm-darwin 0x0000249d _start + 208
13 js-opt-32-tm-darwin 0x000023cc start + 40
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [ccbr][sg:critical?]
|
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 495331:
The first bad revision is:
changeset: 37046:910ee7db07de
user: David Mandelin
date: Fri Jan 15 11:32:14 2010 -0800
summary: Bug 495331: trace JSOP_LAMBDA for non-heavyweight, non-null closures, r=jorendorff,dvander
Blocks: 495331
|
||
Updated•15 years ago
|
Assignee: general → dmandelin
|
Assignee | |
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
||
Updated•15 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 540528]
|
||
Updated•14 years ago
|
Crash Signature: [@ js_GetMethod]
|
||
Comment 3•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/closures/bug540133.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•