Closed Bug 573433 Opened 15 years ago Closed 15 years ago

JM: Crash [@ js_PutCallObject] or "Assertion failure: f.fp->callobj,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

Details

(Keywords: assertion, regression, testcase)

function f() { eval("function(){for(x in[]){}}") function() {} ("")() } f() asserts js debug shell with -m on JM tip at Assertion failure: f.fp->callobj, at ../methodjit/InvokeHelpers.cpp:549 === Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x00154857 in JS_Assert (s=0x23e41a "f.fp->callobj", file=0x23e370 "../methodjit/InvokeHelpers.cpp", ln=549) at ../jsutil.cpp:77 77 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */ (gdb) bt #0 0x00154857 in JS_Assert (s=0x23e41a "f.fp->callobj", file=0x23e370 "../methodjit/InvokeHelpers.cpp", ln=549) at ../jsutil.cpp:77 #1 0x00216652 in js::mjit::stubs::PutCallObject (f=@0xbffff350) at ../methodjit/InvokeHelpers.cpp:549 #2 0x003ef2eb in ?? () #3 0x001df987 in js::mjit::JaegerShot (cx=0x809400) at ../methodjit/MethodJIT.cpp:638 #4 0x000ade2c in js::RunScript (cx=0x809400, script=0x40ce70, fun=0x0, scopeChain=0x701000) at jsinterp.cpp:458 #5 0x000ae3f8 in js::Execute (cx=0x809400, chain=0x701000, script=0x40ce70, down=0x0, flags=0, result=0xbffff570) at jsinterp.cpp:890 #6 0x00013717 in JS_ExecuteScript (cx=0x809400, obj=0x701000, script=0x40ce70, rval=0xbffff570) at ../jsapi.cpp:4485 #7 0x0000c00e in Process (cx=0x809400, obj=0x701000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:519 #8 0x0000ca13 in ProcessArgs (cx=0x809400, obj=0x701000, argv=0xbffff744, argc=1) at ../../shell/js.cpp:846 #9 0x0000cb26 in shell (cx=0x809400, argc=1, argv=0xbffff744, envp=0xbffff74c) at ../../shell/js.cpp:5024 #10 0x0000cc4a in main (argc=1, argv=0xbffff744, envp=0xbffff74c) at ../../shell/js.cpp:5113
This also seems to cause a null dereference: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000020 0x0005051e in js_PutCallObject () (gdb) bt #0 0x0005051e in js_PutCallObject () #1 0x001b7a18 in js::mjit::stubs::PutCallObject () #2 0x002d3237 in ?? () #3 0x001860cd in js::mjit::JaegerShot () #4 0x0006eb7a in js::Execute () #5 0x000106e8 in JS_ExecuteScript () #6 0x00004940 in Process () #7 0x00008dd7 in shell () #8 0x00009208 in main () (gdb) x/i $eip 0x5051e <_Z16js_PutCallObjectP9JSContextP12JSStackFrame+206>: mov %ebx,0x20(%ecx) (gdb) x/b $ebx 0x0: Cannot access memory at address 0x0
Summary: JM: "Assertion failure: f.fp->callobj," → JM: Crash [@ js_PutCallObject] or "Assertion failure: f.fp->callobj,"
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/977696225e6e test-case pushed in a followup commit. thanks!
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug573433.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.