Closed Bug 549602 Opened 14 years ago Closed 13 years ago

JM: Crash [@ js_CompareStrings] or "Assertion failure: JSVAL_IS_STRING(v), at ../jsapi.h"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

version(180)
function f1(code) {
    var c
    var t = code.replace(/s/, "")
    var f = new Function(code)
    var o
    e = v = f2(f, c)
}
function f2(f, e) {
    try {
        a = f()
    } catch(r) {
        var r = g()
    }
}
g1 = [{
    text: "(function sum_slicing(array){return array==0?0:a+sum_slicing(array.slice(1))})",
    test: function (f) {
        f([, 2]) == ""
    }
}];
(function () {
    for (var i = 0; i < g1.length; ++i) {
        var a = g1[i]
        var text = a.text
        var f = eval(text.replace(/@/, ""))
        if (a.test(f)) {}
    }
}())
f1("for(let a=0;a<6;a++){print([\"\"].some(function(){false>\"\"}))}")


crashes js opt shell with -m at js_CompareStrings and asserts js debug shell with -m at Assertion failure: JSVAL_IS_STRING(v), at ../jsapi.h:197
Doesn't crash for me at jm-tip (829334c3a9ef) - can you check?
Definitely crashes at changeset 51898db0bbc9 but WFM on 829334c3a9ef too.

Please add the test, then resolve... maybe WORKSFORME?
changeset:   38715:58da9dcf5c7c
user:        David Mandelin <dmandelin@mozilla.com>
date:        Tue Mar 02 11:51:13 2010 -0800
summary:     [JAEGER] jsop_initmethod and fix typo in relational ops for strings

Probably fixed by this checkin.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_CompareStrings]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug549602.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.