Closed
Bug 613152
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ js::ExecuteTree] or "Assertion failure: v_ins->isD(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 613692
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:critical])
Crash Data
Attachments
(1 file)
26.00 KB,
text/plain
|
Details |
(function() { for each(y in [ {}, String(), {}, String(), '', '', String(), new String(), new String, {} ]) { print(undefined--) } })() asserts js debug shell on TM changeset d446894bc3a6 with -j at Assertion failure: v_ins->isD(), and crashes js opt shell with -j at a weird address: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000608 0x003f8efd in ?? () (gdb) bt #0 0x003f8efd in ?? () #1 0x001a95c6 in js::ExecuteTree () Previous frame inner to this frame (gdb could not unwind past this frame) (gdb) x/i $eip 0x3f8efd: mov %edx,0x608(%eax) (gdb) x/b $edx 0x60b0d8: 0x68 s-s because a weird address seems to be involved.
Reporter | ||
Comment 1•14 years ago
|
||
js::ExecuteTree seems to be on the stack for optimized builds.
Summary: TM: Crash at weird address or "Assertion failure: v_ins->isD()," → TM: Crash [@ js::ExecuteTree] or "Assertion failure: v_ins->isD(),"
Comment 2•14 years ago
|
||
regression from when? I'm seeing js::ExecuteTree show up in the 1.9.2 branch, although it could be an independent bug contributing to a bad tree.
Whiteboard: [sg:critical]
Reporter | ||
Comment 3•14 years ago
|
||
Due to cross compile breakage, attached is the regression window.
Comment 4•14 years ago
|
||
WFM on tracemonkey branch. Testing on Mac 10.5 to escape the cross-compile breakage, I get: The first bad revision is: changeset: 56651:19f70f8c2b88 user: Boris Zbarsky date: Thu Nov 04 16:37:44 2010 -0400 summary: Bug 605858. Trace inc() for all primitive values, not just numbers. r=dvander The first good revision is: changeset: 57784:fe0e393e3530 user: Boris Zbarsky date: Tue Nov 23 14:08:26 2010 -0500 summary: Bug 613692. Make sure to update what our current value is when doing type conversions inside incHelper. r=dvander
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Updated•14 years ago
|
blocking2.0: ? → betaN+
Updated•13 years ago
|
Crash Signature: [@ js::ExecuteTree]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•