Closed
Bug 621374
Opened 14 years ago
Closed 14 years ago
Assertion failure: v.isNumber() / Crash null-ptr dereference
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: decoder, Assigned: bzbarsky)
References
Details
(Keywords: regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
2.74 KB,
patch
|
n.nethercote
:
review+
|
Details | Diff | Splinter Review |
Another christmas present from me, the following code asserts on mc trunk:
options('tracejit');
for (var j = 0; j < 10; ++[ ][2], ++j ) { }
with Assertion failure: v.isNumber(), at ../jstracer.cpp:8649
When continuing after the assertion, the code hits some more asserts and then crashes with a null ptr dereference:
Program received signal SIGSEGV, Segmentation fault.
0x000000000040fa0c in JSObject::getClass (this=0x0) at ../../jsobj.h:387
387 js::Class *getClass() const { return clasp; }
(gdb) bt
#0 0x000000000040fa0c in JSObject::getClass (this=0x0) at ../../jsobj.h:387
#1 0x00000000004e9d77 in js::DefaultValue (cx=0xaa4270, obj=0x0, hint=JSTYPE_NUMBER, vp=0x7fffffffbb80) at ../jsobj.cpp:5601
#2 0x00000000004d6a9b in js::ValueToNumberSlow (cx=0xaa4270, v=..., out=0x7fffffffbc68) at ../jsnum.cpp:1218
#3 0x00000000004321d1 in js::ValueToNumber (cx=0xaa4270, v=..., out=0x7fffffffbc68) at ../jsnum.h:272
#4 0x00000000005c5af9 in js::TraceRecorder::incHelper (this=0xac1280, v=..., v_ins=0xac3f78, v_after=@0x7fffffffbcb8, incr=1) at ../jstracer.cpp:8655
#5 0x00000000005c5838 in js::TraceRecorder::inc (this=0xac1280, v=..., v_ins=@0x7fffffffbd20, incr=1, pre=true) at ../jstracer.cpp:8619
#6 0x00000000005c5e6b in js::TraceRecorder::incElem (this=0xac1280, incr=1, pre=true) at ../jstracer.cpp:8701
#7 0x00000000005d0ef8 in js::TraceRecorder::record_JSOP_INCELEM (this=0xac1280) at ../jstracer.cpp:11556
#8 0x00000000005be95e in js::TraceRecorder::monitorRecording (this=0xac1280, op=JSOP_INCELEM) at ../jsopcode.tbl:165
#9 0x00000000006aa7f7 in js::Interpret (cx=0xaa4270, entryFrame=0x7ffff6abf048, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at ../jsinterp.cpp:2689
Bisect shows:
Changeset 57711: bad
The first bad revision is:
changeset: 57711
user: Boris Zbarsky <removed>
date: Thu Nov 04 16:37:44 2010 -0400
summary: Bug 605858. Trace inc() for all primitive values, not just numbers. r=dvander
As this is a regression, nominating for blocker.
|
Reporter | |
Updated•14 years ago
|
blocking2.0: --- → ?
Keywords: regression
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
Assignee | |
Comment 2•14 years ago
|
||
This was a preexisting bug that bug 605858 just exposed.
Assignee: general → bzbarsky
Priority: -- → P1
Whiteboard: [need review]
|
|
||
Updated•14 years ago
|
Attachment #499925 -
Flags: review?(nnethercote) → review+
|
||
Comment 3•14 years ago
|
||
Comment on attachment 499925 [details] [diff] [review] Fix denseArrayElement to follow its contract for holes. >+/* >+ * When we end up with a hole, read it as undefined, and make sure to >+ * set addr_ins to null. >+ */ ..12345678901234567890123456789012345678901234567890123456789012345678901234567890 Super-ultra-whatever-nit: we wrap before 80 but your typewriter uses 72 :-P. /be
|
|
Assignee | |
Comment 5•14 years ago
|
||
Pushed http://hg.mozilla.org/tracemonkey/rev/6f0a7cfb06d7
Flags: in-testsuite+
Whiteboard: [need review] → fixed-in-tracemonkey
|
||
Comment 6•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6f0a7cfb06d7
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•