Closed Bug 549602 Opened 15 years ago Closed 15 years ago

JM: Crash [@ js_CompareStrings] or "Assertion failure: JSVAL_IS_STRING(v), at ../jsapi.h"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

version(180) function f1(code) { var c var t = code.replace(/s/, "") var f = new Function(code) var o e = v = f2(f, c) } function f2(f, e) { try { a = f() } catch(r) { var r = g() } } g1 = [{ text: "(function sum_slicing(array){return array==0?0:a+sum_slicing(array.slice(1))})", test: function (f) { f([, 2]) == "" } }]; (function () { for (var i = 0; i < g1.length; ++i) { var a = g1[i] var text = a.text var f = eval(text.replace(/@/, "")) if (a.test(f)) {} } }()) f1("for(let a=0;a<6;a++){print([\"\"].some(function(){false>\"\"}))}") crashes js opt shell with -m at js_CompareStrings and asserts js debug shell with -m at Assertion failure: JSVAL_IS_STRING(v), at ../jsapi.h:197
Doesn't crash for me at jm-tip (829334c3a9ef) - can you check?
Definitely crashes at changeset 51898db0bbc9 but WFM on 829334c3a9ef too. Please add the test, then resolve... maybe WORKSFORME?
changeset: 38715:58da9dcf5c7c user: David Mandelin <dmandelin@mozilla.com> date: Tue Mar 02 11:51:13 2010 -0800 summary: [JAEGER] jsop_initmethod and fix typo in relational ops for strings Probably fixed by this checkin.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_CompareStrings]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug549602.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.