Closed Bug 622318 Opened 14 years ago Closed 14 years ago

TM: Crash [@ js::Interpret] or "Assertion failure: regs.sp[-1].isObject(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
1.21 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
try {
    for (window = (0
    for (x in V)); f;) {}
} catch(e) {}
for each(let z in [0, 0, 0, 0, 0, 0, 0, 0, 0]) {
    for (v in window) {}
}
var e, V

asserts js debug shell on TM changeset e0fc487c23f4 with -j when passed in as a CLI argument at Assertion failure: regs.sp[-1].isObject(), and crashes js opt shell at js::Interpret.

Setting s-s just-in-case.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   58599:9acf849c97b4
user:        Luke Wagner
date:        Fri Nov 19 15:09:03 2010 -0800
summary:     Bug 612523 - unfuse JSOP_MOREITER; sanity returns (r=dvander,gal)

Opt shell console output:

(gdb) bt
#0  0x00086648 in js::Interpret ()
#1  0x00096636 in js::Execute ()
#2  0x00018928 in JS_ExecuteScript ()
#3  0x00006309 in Process ()
#4  0x0000a862 in Shell ()
#5  0x0000adff in main ()
(gdb) x/i $eip
0x86648 <_ZN2js9InterpretEP9JSContextP12JSStackFramej12JSInterpMode+28808>:     cmp    %eax,0x4(%edx)
(gdb) x/b $eax
0x2afec0 <js_IteratorClass>:    0x02
(gdb) x/b $edx
0x0:    Cannot access memory at address 0x0
blocking2.0: --- → ?
Attached patch fixSplinter Review 
Thinko -- inverted check emitted.  This would have been obvious if pendingGuardCondition's use wasn't so far away from where its definition.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #500621 - Flags: review?(dvander)
Attachment #500621 - Flags: review?(dvander) → review+
blocking2.0: ? → betaN+
http://hg.mozilla.org/tracemonkey/rev/2e57743aeca6
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/2e57743aeca6
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::Interpret]
Luke, did this affect 1.9.2? Any reason to keep this locked?
Nope.
Group: core-security
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: