Closed
Bug 621943
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js_TraceObject] or "Assertion failure: !argsobj.getPrivate(),"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla2.0b9
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: Waldo)
Details
(4 keywords, Whiteboard: [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey])
Crash Data
Attachments
(1 file)
|
2.18 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
function f1(code) {
f = Function(code)
v = f2(f, code);
try {
for (e in rv)
{
n
}
} catch(r) {}
}
function f2(f, e) {
rv = f()
}
f1("\"use strict\";for each(b in[0]){(eval(yield[]))}")
f1("gc()")
asserts js debug shell on TM changeset 2e3df1dda85 with -m at Assertion failure: !argsobj.getPrivate(), and crashes at js_TraceObject.
Assuming s-s because this involves gc.
Opt backtrace:
(gdb) bt
#0 0x00000008 in ?? ()
Cannot access memory at address 0x8
#1 0x000b89fa in js_TraceObject ()
#2 0x000b8e5f in js_TraceObject ()
#3 0x0007003c in js::gc::MarkChildren ()
#4 0x0007a2c8 in js_TraceStackFrame ()
#5 0x000a0dc8 in generator_trace ()
#6 0x000b89fa in js_TraceObject ()
#7 0x000b8e5f in js_TraceObject ()
#8 0x0007003c in js::gc::MarkChildren ()
#9 0x000702d0 in js::gc::MarkChildren ()
#10 0x000702df in js::gc::MarkChildren ()
#11 0x000702df in js::gc::MarkChildren ()
#12 0x0007e076 in js::MarkIfGCThingWord ()
#13 0x000749bb in js::MarkRuntime ()
#14 0x00076432 in GCUntilDone ()
#15 0x0007808b in js_GC ()
#16 0x000130aa in JS_GC ()
#17 0x00007059 in GC ()
#18 0x0022c19c in CallCompiler::generateNativeStub ()
#19 0x0022b8fb in js::mjit::ic::NativeCall ()
#20 0x006c4095 in ?? ()
#21 0x001d477a in js::mjit::JaegerShot ()
#22 0x0009645a in js::Invoke ()
#23 0x0023e100 in js::mjit::stubs::SlowCall ()
#24 0x0022a6b5 in SlowCallFromIC ()
#25 0x006c3c4d in ?? ()
#26 0x001d477a in js::mjit::JaegerShot ()
#27 0x00095d83 in js::Execute ()
#28 0x00018db8 in JS_ExecuteScript ()
#29 0x00006464 in Process ()
#30 0x0000ad02 in Shell ()
#31 0x0000b29f in main ()
(gdb) x/i $eip
0x8: Cannot access memory at address 0x8
|
Reporter | |
Updated•14 years ago
|
blocking2.0: --- → ?
|
Assignee | |
Comment 1•14 years ago
|
||
Thought this was a dup, still reproduces in my tree even with bug 620335 fixed -- will investigate.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
blocking2.0: ? → ---
OS: Mac OS X → All
Hardware: x86 → All
|
|
Reporter | |
Updated•14 years ago
|
blocking2.0: --- → ?
|
|
Assignee | |
Comment 2•14 years ago
|
||
...plus an extra tweak to assert more than I'd originally done in bug 620335.
Attachment #500605 -
Flags: review?(lw)
|
|
||
Updated•14 years ago
|
Attachment #500605 -
Flags: review?(lw) → review+
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
|
||
Updated•14 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][hardblocker]
|
|
Assignee | |
Comment 3•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/1b62c516b291
Whiteboard: [ccbr][sg:critical?][hardblocker] → [ccbr][sg:critical?][hardblocker][fixed-in-tracemonkey]
Target Milestone: --- → mozilla2.0b9
|
||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1b62c516b291
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js_TraceObject]
|
||
Comment 5•12 years ago
|
||
Tracer bug, marking VERIFIED due to tracer removal.
Status: RESOLVED → VERIFIED
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•