Closed
Bug 582276
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ js::DefaultValue] or "Assertion failure: &obj != NULL,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
(function() {
this / z
var z = ""
})()
asserts js debug shell on JM changeset e0988eae6c08 with -m at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 and crashes js opt shell with -m at js::DefaultValue.
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x00086a43 in js::DefaultValue ()
(gdb) bt
#0 0x00086a43 in js::DefaultValue ()
#1 0x0007aca8 in js::ValueToNumberSlow ()
#2 0x00193dcd in js::mjit::stubs::Div ()
#3 0x002f62ac in ?? ()
#4 0x0018daa7 in js::mjit::JaegerShot ()
#5 0x0006f0fc in js::Execute ()
#6 0x000140b8 in JS_ExecuteScript ()
#7 0x000053bc in Process ()
#8 0x00008d27 in shell ()
#9 0x00009258 in main ()
(gdb) x/i $eip
0x86a43 <_ZN2js12DefaultValueEP9JSContextP8JSObject6JSTypePNS_5ValueE+35>: mov 0x4(%esi),%eax
(gdb) x/b $esi
0x0: Cannot access memory at address 0x0
Comment 1•15 years ago
|
||
Reproduces on moo tip only on 32-bit.
Updated•14 years ago
|
Crash Signature: [@ js::DefaultValue]
Comment 3•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•