Closed
Bug 575208
Opened 15 years ago
Closed 15 years ago
Crash [@ js::ExecuteFrameGuard::~ExecuteFrameGuard] or "Assertion failure: origin != destination,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(4 keywords, Whiteboard: [ccbr] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
8.97 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
with(evalcx('')) for each(z in [new Boolean(true)]) {}
asserts js debug shell without -j on TM tip at Assertion failure: origin != destination, at ../jswrapper.cpp:422 and crashes js opt shell without -j on TM tip at js::ExecuteFrameGuard::~ExecuteFrameGuard
Seems to be a null crash:
(gdb) bt
#0 0x00022b26 in js::ExecuteFrameGuard::~ExecuteFrameGuard ()
#1 0x001018ee in js::AutoCompartment::leave ()
#2 0x0000e4b2 in JS_LeaveCrossCompartmentCall ()
#3 0x00007b6f in shell ()
#4 0x000085a7 in main ()
(gdb) x/i $eip
0x22b26 <_ZN2js17ExecuteFrameGuardD1Ev+22>: movl $0x0,(%eax)
|
||
Comment 1•15 years ago
|
||
Gary, if you see "Compartment", cc: the compartment team.
/be
|
Reporter | |
Comment 2•15 years ago
|
||
(In reply to comment #1)
> Gary, if you see "Compartment", cc: the compartment team.
OK.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 44269:3aaaa21012c8
user: Jason Orendorff
date: Wed Jun 23 16:35:10 2010 -0500
summary: Bug 563099 - Compartments and wrappers API. r=gal.
Blocks: compartments-api
blocking2.0: --- → ?
|
Assignee | |
Updated•15 years ago
|
Assignee: general → jorendorff
|
|
Assignee | |
Comment 3•15 years ago
|
||
Same crash:
new (evalcx('Boolean'));
JSProxyHandler::construct seems to be the culprit. Patch coming later today.
|
|
Assignee | |
Comment 4•15 years ago
|
||
Is it safe to assume that GetCall isn't going to return JSVAL_VOID here?
Attachment #455614 -
Flags: review?(gal)
|
|
Assignee | |
Comment 5•15 years ago
|
||
Sorry, v1 was incomplete.
Doubt about GetCall afflicts me still.
Attachment #455614 -
Attachment is obsolete: true
Attachment #455749 -
Flags: review?(gal)
Attachment #455614 -
Flags: review?(gal)
|
||
Comment 6•15 years ago
|
||
Comment on attachment 455749 [details] [diff] [review]
v2
Thanks. A fixme with the bug # for primitive this support?
Attachment #455749 -
Flags: review?(gal) → review+
|
|
Reporter | |
Comment 7•15 years ago
|
||
This was checked in to TM:
http://hg.mozilla.org/tracemonkey/rev/196f9c7d868f
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
|
||
Comment 8•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
blocking2.0: ? → betaN+
|
||
Updated•14 years ago
|
Crash Signature: [@ js::ExecuteFrameGuard::~ExecuteFrameGuard]
You need to log in
before you can comment on or make changes to this bug.
Description
•