JM: Crash [@ js::DefaultValue] or "Assertion failure: &obj != NULL,"

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
RESOLVED FIXED
Reported:
8 years ago
Modified:
6 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Version:
Trunk
Platform:
x86
Mac OS X
Keywords:
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

8 years ago 
(function() {
  this / z
  var z = ""
})()

asserts js debug shell on JM changeset e0988eae6c08 with -m at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 and crashes js opt shell with -m at js::DefaultValue.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x00086a43 in js::DefaultValue ()
(gdb) bt
#0  0x00086a43 in js::DefaultValue ()
#1  0x0007aca8 in js::ValueToNumberSlow ()
#2  0x00193dcd in js::mjit::stubs::Div ()
#3  0x002f62ac in ?? ()
#4  0x0018daa7 in js::mjit::JaegerShot ()
#5  0x0006f0fc in js::Execute ()
#6  0x000140b8 in JS_ExecuteScript ()
#7  0x000053bc in Process ()
#8  0x00008d27 in shell ()
#9  0x00009258 in main ()
(gdb) x/i $eip
0x86a43 <_ZN2js12DefaultValueEP9JSContextP8JSObject6JSTypePNS_5ValueE+35>:      mov    0x4(%esi),%eax
(gdb) x/b $esi
0x0:    Cannot access memory at address 0x0

Comment 1

8 years ago 
Reproduces on moo tip only on 32-bit.

Comment 2

8 years ago 
regression from bug 578538

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/89f0922e59f4
Blocks: 578538
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::DefaultValue]

Comment 3

6 years ago 
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.