579275 - Crash [@ QuoteString] or "Assertion failure: isString(),"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

let(a){[a].filter("".toSource)}

asserts js debug shell on TM tip without -j at Assertion failure: isString(), at ../jsvalue.h:526 and crashes js opt shell on TM tip without -j at QuoteString

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

js> let(a){[a].filter("".toSource)}

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000008
0x00096574 in QuoteString ()
(gdb) bt
#0  0x00096574 in QuoteString ()
#1  0x000968da in js_QuoteString ()
#2  0x000fdd3c in str_toSource ()
#3  0x0006e273 in js::InvokeCommon<int (*)(JSContext*, JSObject*, unsigned int, js::Value*, js::Value*)> ()
#4  0x0006f00d in js::Invoke ()
#5  0x0001ec00 in array_extra ()
#6  0x00065b4c in js::Interpret ()
#7  0x0006e72b in js::Execute ()
#8  0x00014a58 in JS_ExecuteScript ()
#9  0x0000600c in Process ()
#10 0x00009866 in shell ()
#11 0x00009d77 in main ()
(gdb) x/i $eip
0x96574 <_ZL11QuoteStringP8SprinterP8JSStringj+52>:     testb  $0x2,0x8(%esi)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   47546:9c869e64ee26
user:        Luke Wagner
date:        Wed Jul 14 23:19:36 2010 -0700
summary:     Bug 549143 - fatvals

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Patch

Comment 4

[Luke Wagner [:luke]]

Comment on attachment 457778 [details] [diff] [review]
Patch

Thank you sir!

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

http://hg.mozilla.org/tracemonkey/rev/7cb520995757

Gary, this might fix a couple of the other bugs you filed last night.

Comment 6

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/7cb520995757