Crash [@ js_Interpret] or "Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h" with eval

RESOLVED DUPLICATE of bug 561011

Status

()

--
critical
RESOLVED DUPLICATE of bug 561011
9 years ago
8 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [ccbr], crash signature)

(Reporter)

Description

9 years ago
try {
    throw #1#
    for (c in [eval[o]]) {}
} catch(e) {}
for (var a = 0; a < 1; a++) {
    with(eval) {
        for (var b = 0; b < 1; b++) {}
    }
}

(pass the testcase in as a CLI argument to see the issue)

crashes js opt shell on TM tip without -j at js_Interpret and asserts js debug shell on TM tip without -j at Assertion failure: JSVAL_IS_OBJECT(v), at ../jsapi.h:183

===

js opt shell stack:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00000000000000a8
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   js-opt-32-tm-darwin           	0x0005b713 js_Interpret + 25763
1   js-opt-32-tm-darwin           	0x00064fa3 js_Execute + 531
2   js-opt-32-tm-darwin           	0x0000faac JS_ExecuteScript + 60
3   js-opt-32-tm-darwin           	0x0000546f Process(JSContext*, JSObject*, char*, int) + 1647
4   js-opt-32-tm-darwin           	0x000094aa main + 1626
5   js-opt-32-tm-darwin           	0x00002f9d _start + 208
6   js-opt-32-tm-darwin           	0x00002ecc start + 40
(Reporter)

Comment 1

9 years ago
autoBisect shows this is probably related to bug 514981:

The first bad revision is:
changeset:   32201:c19b0d06d076
user:        Brendan Eich
date:        Wed Sep 09 20:21:15 2009 -0700
summary:     Bug 514981 - JSStackFrame::sharp{Array,Depth} should be locals allocated due to #n[#=] usage (r=igor).
Blocks: 514981
(Reporter)

Comment 2

9 years ago
This crashes my Mac 64-bit m-c nightly, I think it might crash a 32-bit one too. Setting s-s.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a5pre) Gecko/20100420 Minefield/3.7a5pre
Group: core-security
Notice sharp vs. var-in-with.

/be
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 561011
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Crash Signature: [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.