551779 - Assertion failure: *(JSObject**)slot == NULL, at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:2805

Status: RESOLVED DUPLICATE of bug 557946

(Core :: JavaScript Engine, defect)

Description

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Crashed loading the URL http://code.google.com/p/v8/source/detail?spec=svn4108&r=4083

Assertion failure: *(JSObject**)slot == NULL, at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:2805

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0040e219 in JS_Assert (s=0x4bcfae "*(JSObject**)slot == NULL", file=0x4ba88c "/Users/roc/mozilla-checkin/js/src/jstracer.cpp", ln=2805) at /Users/roc/mozilla-checkin/js/src/jsutil.cpp:73
73	    *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) up
down
#1  0x0043c1e5 in js::NativeToValue (cx=0x28268000, v=@0x321e9450, type=js::TT_NULL, slot=0x1509e050) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:2805
2805	        JS_ASSERT(*(JSObject**)slot == NULL);
(gdb) down
#0  0x0040e219 in JS_Assert (s=0x4bcfae "*(JSObject**)slot == NULL", file=0x4ba88c "/Users/roc/mozilla-checkin/js/src/jstracer.cpp", ln=2805) at /Users/roc/mozilla-checkin/js/src/jsutil.cpp:73
73	    *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) where 10
#0  0x0040e219 in JS_Assert (s=0x4bcfae "*(JSObject**)slot == NULL", file=0x4ba88c "/Users/roc/mozilla-checkin/js/src/jstracer.cpp", ln=2805) at /Users/roc/mozilla-checkin/js/src/jsutil.cpp:73
#1  0x0043c1e5 in js::NativeToValue (cx=0x28268000, v=@0x321e9450, type=js::TT_NULL, slot=0x1509e050) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:2805
#2  0x0046c266 in js::FlushNativeStackFrameVisitor::visitStackSlots (this=0xbfffc118, vp=0x321e9450, count=17, fp=0x321e93e4) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:2937
#3  0x0043c586 in js::VisitFrameSlots<js::FlushNativeStackFrameVisitor> (visitor=@0xbfffc118, depth=0, fp=0x321e93e4, up=0x321e94a0) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:1792
#4  0x0043c418 in js::VisitFrameSlots<js::FlushNativeStackFrameVisitor> (visitor=@0xbfffc118, depth=1, fp=0x321e94a0, up=0x0) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:1773
#5  0x0043c6ec in js::VisitStackSlots<js::FlushNativeStackFrameVisitor> (visitor=@0xbfffc118, cx=0x28268000, callDepth=1) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:1821
#6  0x0043c75c in js::FlushNativeStackFrame (cx=0x28268000, callDepth=1, mp=0x39303710, np=0x1509e000, stopFrame=0x321e94a0, ignoreSlots=0) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:3282
#7  0x0043d42d in js::LeaveTree (tm=0x14f99088, state=@0xbfffc2b4, lr=0x3626a0dc) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:6685
#8  0x0043f2ce in js::ExecuteTree (cx=0x28268000, f=0x279a230c, inlineCallCount=@0xbfffc6d8, innermostNestedGuardp=0xbfffc398) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:6483
#9  0x00447503 in js::MonitorLoopEdge (cx=0x28268000, inlineCallCount=@0xbfffc6d8, reason=js::Record_Branch) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:6970
(More stack frames follow...)
(gdb) up
#1  0x0043c1e5 in js::NativeToValue (cx=0x28268000, v=@0x321e9450, type=js::TT_NULL, slot=0x1509e050) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:2805
2805	        JS_ASSERT(*(JSObject**)slot == NULL);
(gdb) p slot
$1 = (double *) 0x1509e050
(gdb) p *slot
$2 = -6.2774363038785138e+66
(gdb) p v
$3 = (jsval &) @0x321e9450: 0

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

I can't reproduce this, but the stack looks like bug 557946. Do you still get this crash?

Comment 2

[Robert O'Callahan (:roc) (email my personal email if necessary)]

No.

Comment 3

[Andreas Gal :gal]

Guys ... this bug contains a link that possibly reproduces a crash we haven't shipped the fix for ...