Closed Bug 582276 Opened 15 years ago Closed 15 years ago

JM: Crash [@ js::DefaultValue] or "Assertion failure: &obj != NULL,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

(function() { this / z var z = "" })() asserts js debug shell on JM changeset e0988eae6c08 with -m at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 and crashes js opt shell with -m at js::DefaultValue. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000004 0x00086a43 in js::DefaultValue () (gdb) bt #0 0x00086a43 in js::DefaultValue () #1 0x0007aca8 in js::ValueToNumberSlow () #2 0x00193dcd in js::mjit::stubs::Div () #3 0x002f62ac in ?? () #4 0x0018daa7 in js::mjit::JaegerShot () #5 0x0006f0fc in js::Execute () #6 0x000140b8 in JS_ExecuteScript () #7 0x000053bc in Process () #8 0x00008d27 in shell () #9 0x00009258 in main () (gdb) x/i $eip 0x86a43 <_ZN2js12DefaultValueEP9JSContextP8JSObject6JSTypePNS_5ValueE+35>: mov 0x4(%esi),%eax (gdb) x/b $esi 0x0: Cannot access memory at address 0x0
Reproduces on moo tip only on 32-bit.
regression from bug 578538 http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/89f0922e59f4
Blocks: 578538
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::DefaultValue]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.