Closed
Bug 589093
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ js::Interpret] or "Assertion failure: script->main <= target && target < script->code + script->length,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical?])
Crash Data
x = (w for (x in []))
for (w in [0, 0, 0, 0]) {
(function() {
[c for (z in x)]
})()
}
crashes js opt shell on TM changeset b22e82ce2364 with -j at js::Interpret and asserts js debug shell at Assertion failure: script->main <= target && target < script->code + script->length, at ../jsopcode.cpp:5501
s-s because the opt shell seems to be accessing 0x8c, a scary address.
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
0x0005d5ae in js::Interpret ()
(gdb) bt
#0 0x0005d5ae in js::Interpret ()
#1 0x0006ccf4 in js::Execute ()
#2 0x00013d48 in JS_ExecuteScript ()
#3 0x0000580c in Process ()
#4 0x00009427 in shell ()
#5 0x00009947 in main ()
(gdb) x/i $eip
0x5d5ae <_ZN2js9InterpretEP9JSContext+10286>: cmp %eax,0x4(%edx)
(gdb) x/b $eax
0x1e1a40 <js_IteratorClass>: 0x8c
Debug backtrace:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00163384 in JS_Assert (s=0x22b3e0 "script->main <= target && target < script->code + script->length", file=0x22b174 "../jsopcode.cpp", ln=5501) at ../jsutil.cpp:80
80 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0 0x00163384 in JS_Assert (s=0x22b3e0 "script->main <= target && target < script->code + script->length", file=0x22b174 "../jsopcode.cpp", ln=5501) at ../jsutil.cpp:80
#1 0x000e6f4e in ReconstructPCStack (cx=0x50a3b0, script=0x50d310, target=0x50d607 ":", pcstack=0x0) at ../jsopcode.cpp:5501
#2 0x000e7221 in js_ReconstructStackDepth (cx=0x50a3b0, script=0x50d310, pc=0x50d607 ":") at ../jsopcode.cpp:5333
#3 0x0019215b in js::SynthesizeFrame (cx=0x50a3b0, fi=@0x850244, callee=0x706af8) at ../jstracer.cpp:5667
#4 0x00192ea3 in js::LeaveTree (tm=0x823a2c, state=@0xbfffe538, lr=0x8593fc) at ../jstracer.cpp:7003
#5 0x0019433e in js::ExecuteTree (cx=0x50a3b0, f=0x850044, inlineCallCount=@0xbfffedb4, innermostNestedGuardp=0xbfffe614, lrp=0xbfffe618) at ../jstracer.cpp:6764
#6 0x001a5c8a in js::MonitorLoopEdge (cx=0x50a3b0, inlineCallCount=@0xbfffedb4, reason=js::Record_Branch) at ../jstracer.cpp:7265
#7 0x00096ca2 in js::Interpret (cx=0x50a3b0) at ../jsinterp.cpp:2892
#8 0x000b9eb4 in js::Execute (cx=0x50a3b0, chain=0x702000, script=0x50d590, down=0x0, flags=0, result=0xbffff730) at jsinterp.cpp:883
#9 0x000168ea in JS_ExecuteScript (cx=0x50a3b0, obj=0x702000, script=0x50d590, rval=0xbffff730) at ../jsapi.cpp:4744
#10 0x0000c181 in Process (cx=0x50a3b0, obj=0x702000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#11 0x0000cb59 in ProcessArgs (cx=0x50a3b0, obj=0x702000, argv=0xbffff8fc, argc=1) at ../../shell/js.cpp:855
#12 0x0000cc72 in shell (cx=0x50a3b0, argc=1, argv=0xbffff8fc, envp=0xbffff904) at ../../shell/js.cpp:5059
#13 0x0000cd96 in main (argc=1, argv=0xbffff8fc, envp=0xbffff904) at ../../shell/js.cpp:5146
|
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 41875:128e76615878 user: Andreas Gal date: Wed May 12 13:12:53 2010 -0700 summary: nit fix for bug 558754 and remove bogus spot-fix that didn't have review (r=brendan) (This should probably be double-checked..)
|
|
Reporter | |
Updated•14 years ago
|
blocking2.0: --- → ?
|
|
Reporter | |
Comment 2•14 years ago
|
||
(In reply to comment #1) > (This should probably be double-checked..) I'm quite sure that's the correct changeset..
|
||
Comment 3•14 years ago
|
||
Is this always near null? The asserted condition sounds scary, unless there's some path where target is always ok UNLESS is it null. Assuming the worst for now.
Blocks: fastiterators
Whiteboard: [ccbr] → [ccbr][sg:critical?]
|
|
||
Updated•14 years ago
|
status1.9.2:
--- → unaffected
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
|
||
Updated•14 years ago
|
Assignee: general → gal
|
Assignee | |
Comment 4•14 years ago
|
||
WFM with TM tip. Debug shell macosx 64-bit. Gary, can you verify.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 5•14 years ago
|
||
Would it be worth adding this testcase to the regression test suite anyway?
status1.9.1:
--- → unaffected
Flags: in-testsuite?
|
|
||
Updated•14 years ago
|
Group: core-security
|
||
Updated•13 years ago
|
Crash Signature: [@ js::Interpret]
|
||
Comment 6•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•