Closed
Bug 621943
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js_TraceObject] or "Assertion failure: !argsobj.getPrivate(),"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla2.0b9
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: Waldo)
Details
(4 keywords, Whiteboard: [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
2.18 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
function f1(code) { f = Function(code) v = f2(f, code); try { for (e in rv) { n } } catch(r) {} } function f2(f, e) { rv = f() } f1("\"use strict\";for each(b in[0]){(eval(yield[]))}") f1("gc()") asserts js debug shell on TM changeset 2e3df1dda85 with -m at Assertion failure: !argsobj.getPrivate(), and crashes at js_TraceObject. Assuming s-s because this involves gc. Opt backtrace: (gdb) bt #0 0x00000008 in ?? () Cannot access memory at address 0x8 #1 0x000b89fa in js_TraceObject () #2 0x000b8e5f in js_TraceObject () #3 0x0007003c in js::gc::MarkChildren () #4 0x0007a2c8 in js_TraceStackFrame () #5 0x000a0dc8 in generator_trace () #6 0x000b89fa in js_TraceObject () #7 0x000b8e5f in js_TraceObject () #8 0x0007003c in js::gc::MarkChildren () #9 0x000702d0 in js::gc::MarkChildren () #10 0x000702df in js::gc::MarkChildren () #11 0x000702df in js::gc::MarkChildren () #12 0x0007e076 in js::MarkIfGCThingWord () #13 0x000749bb in js::MarkRuntime () #14 0x00076432 in GCUntilDone () #15 0x0007808b in js_GC () #16 0x000130aa in JS_GC () #17 0x00007059 in GC () #18 0x0022c19c in CallCompiler::generateNativeStub () #19 0x0022b8fb in js::mjit::ic::NativeCall () #20 0x006c4095 in ?? () #21 0x001d477a in js::mjit::JaegerShot () #22 0x0009645a in js::Invoke () #23 0x0023e100 in js::mjit::stubs::SlowCall () #24 0x0022a6b5 in SlowCallFromIC () #25 0x006c3c4d in ?? () #26 0x001d477a in js::mjit::JaegerShot () #27 0x00095d83 in js::Execute () #28 0x00018db8 in JS_ExecuteScript () #29 0x00006464 in Process () #30 0x0000ad02 in Shell () #31 0x0000b29f in main () (gdb) x/i $eip 0x8: Cannot access memory at address 0x8
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Assignee | ||
Comment 1•14 years ago
|
||
Thought this was a dup, still reproduces in my tree even with bug 620335 fixed -- will investigate.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
blocking2.0: ? → ---
OS: Mac OS X → All
Hardware: x86 → All
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Assignee | ||
Comment 2•14 years ago
|
||
...plus an extra tweak to assert more than I'd originally done in bug 620335.
Attachment #500605 -
Flags: review?(lw)
Updated•14 years ago
|
Attachment #500605 -
Flags: review?(lw) → review+
Updated•14 years ago
|
blocking2.0: ? → betaN+
Updated•14 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][hardblocker]
Assignee | ||
Comment 3•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/1b62c516b291
Whiteboard: [ccbr][sg:critical?][hardblocker] → [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey]
Target Milestone: --- → mozilla2.0b9
Comment 4•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1b62c516b291
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js_TraceObject]
Comment 5•12 years ago
|
||
Tracer bug, marking VERIFIED due to tracer removal.
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•