Closed Bug 585314 Opened 14 years ago Closed 14 years ago

JM: Crash [@ js::DefaultValue] or "Assertion failure: &obj != NULL,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 585408

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

(function() {
  function a() {}
  a > a--
})()

asserts js debug shell on JM changeset 787e35063545 with -m at Assertion failure: &obj != NULL, at ../../jsvalue.h:356 and crashes js opt shell at js::DefaultValue.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x00085613 in js::DefaultValue ()
(gdb) bt
#0  0x00085613 in js::DefaultValue ()
#1  0x0018f19b in js::mjit::stubs::GreaterThan ()
#2  0x002c921f in ?? ()
#3  0x0018a0d7 in js::mjit::JaegerShot ()
#4  0x0006ee0c in js::Execute ()
#5  0x00014828 in JS_ExecuteScript ()
#6  0x0000585c in Process ()
#7  0x00009147 in shell ()
#8  0x00009678 in main ()
(gdb) x/i $eip
0x85613 <_ZN2js12DefaultValueEP9JSContextP8JSObject6JSTypePNS_5ValueE+35>:      mov    0x4(%esi),%eax
(gdb) x/b $esi
0x0:    Cannot access memory at address 0x0
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ js::DefaultValue]
A testcase for this bug was already added in the original bug (bug 585408).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.