Closed
Bug 582276
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js::DefaultValue] or "Assertion failure: &obj != NULL,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
(function() { this / z var z = "" })() asserts js debug shell on JM changeset e0988eae6c08 with -m at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 and crashes js opt shell with -m at js::DefaultValue. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000004 0x00086a43 in js::DefaultValue () (gdb) bt #0 0x00086a43 in js::DefaultValue () #1 0x0007aca8 in js::ValueToNumberSlow () #2 0x00193dcd in js::mjit::stubs::Div () #3 0x002f62ac in ?? () #4 0x0018daa7 in js::mjit::JaegerShot () #5 0x0006f0fc in js::Execute () #6 0x000140b8 in JS_ExecuteScript () #7 0x000053bc in Process () #8 0x00008d27 in shell () #9 0x00009258 in main () (gdb) x/i $eip 0x86a43 <_ZN2js12DefaultValueEP9JSContextP8JSObject6JSTypePNS_5ValueE+35>: mov 0x4(%esi),%eax (gdb) x/b $esi 0x0: Cannot access memory at address 0x0
Comment 1•14 years ago
|
||
Reproduces on moo tip only on 32-bit.
Updated•13 years ago
|
Crash Signature: [@ js::DefaultValue]
Comment 3•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•