Closed Bug 540187 Opened 15 years ago Closed 15 years ago

TM: Crash [@ JS_CallTracer] or "Assertion failure: a->info.list, at ../jsgc.cpp" with gc

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 540528
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:dupe 540528])

Crash Data

for (j = 0; j < 1; j++) {
  var f = eval("\
    function() {\
      for (var a = 0; a < 8; ++a) {\
        if (a % 3 == 2) {\
          eval(\"\
            for(b in[0,0,0,0]) {\
              print()\
            }\
          \")\
        }\
        gc()\
      }\
    }\
  ");
  f()
}


crashes js opt shell with -j on TM tip at JS_CallTracer near null and asserts js debug shell with -j on TM tip at Assertion failure: a->info.list, at ../jsgc.cpp:809

Turning security-sensitive because this involves gc. Assuming [sg:critical?] unless otherwise determined.

autoBisect shows this is probably related to bug 495331:

The first bad revision is:
changeset:   37046:910ee7db07de
user:        David Mandelin
date:        Fri Jan 15 11:32:14 2010 -0800
summary:     Bug 495331: trace JSOP_LAMBDA for non-heavyweight, non-null closures, r=jorendorff,dvander

Opt crash stack:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000fc0
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x0004ac20 JS_CallTracer + 128
1   js-opt-32-tm-darwin           	0x00045aca args_or_call_trace(JSTracer*, JSObject*) + 90
2   js-opt-32-tm-darwin           	0x00067ed6 js_TraceObject + 630
3   js-opt-32-tm-darwin           	0x0004ae41 JS_CallTracer + 673
4   js-opt-32-tm-darwin           	0x0004af0a js_TraceStackFrame + 42
5   js-opt-32-tm-darwin           	0x0004b5df js_TraceContext + 95
6   js-opt-32-tm-darwin           	0x0004bb2c js_TraceRuntime + 140
7   js-opt-32-tm-darwin           	0x0004bfcb js_GC + 1051
8   js-opt-32-tm-darwin           	0x0000f828 JS_GC + 72
9   js-opt-32-tm-darwin           	0x0000589c GC(JSContext*, unsigned int, long*) + 44
10  js-opt-32-tm-darwin           	0x000578c6 js_Interpret + 36646
11  js-opt-32-tm-darwin           	0x0005e65c js_Execute + 444
12  js-opt-32-tm-darwin           	0x0000d91c JS_ExecuteScript + 60
13  js-opt-32-tm-darwin           	0x000047c5 Process(JSContext*, JSObject*, char*, int) + 1621
14  js-opt-32-tm-darwin           	0x00008726 main + 1734
15  js-opt-32-tm-darwin           	0x0000264d _start + 208
16  js-opt-32-tm-darwin           	0x0000257c start + 40
Assignee: general → dmandelin
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:dupe 540528]
Crash Signature: [@ JS_CallTracer]
A testcase for this bug was already added in the original bug (bug 540528).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.