Closed Bug 582276 Opened 11 years ago Closed 11 years ago

JM: Crash [@ js::DefaultValue] or "Assertion failure: &obj != NULL,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

(function() {
  this / z
  var z = ""
})()

asserts js debug shell on JM changeset e0988eae6c08 with -m at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 and crashes js opt shell with -m at js::DefaultValue.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x00086a43 in js::DefaultValue ()
(gdb) bt
#0  0x00086a43 in js::DefaultValue ()
#1  0x0007aca8 in js::ValueToNumberSlow ()
#2  0x00193dcd in js::mjit::stubs::Div ()
#3  0x002f62ac in ?? ()
#4  0x0018daa7 in js::mjit::JaegerShot ()
#5  0x0006f0fc in js::Execute ()
#6  0x000140b8 in JS_ExecuteScript ()
#7  0x000053bc in Process ()
#8  0x00008d27 in shell ()
#9  0x00009258 in main ()
(gdb) x/i $eip
0x86a43 <_ZN2js12DefaultValueEP9JSContextP8JSObject6JSTypePNS_5ValueE+35>:      mov    0x4(%esi),%eax
(gdb) x/b $esi
0x0:    Cannot access memory at address 0x0
Reproduces on moo tip only on 32-bit.
regression from bug 578538

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/89f0922e59f4
Blocks: 578538
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::DefaultValue]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.