Closed Bug 622318 Opened 15 years ago Closed 15 years ago

TM: Crash [@ js::Interpret] or "Assertion failure: regs.sp[-1].isObject(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [ccbr][sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
1.21 KB, patch
dvander
: review+
Details | Diff | Splinter Review
try { for (window = (0 for (x in V)); f;) {} } catch(e) {} for each(let z in [0, 0, 0, 0, 0, 0, 0, 0, 0]) { for (v in window) {} } var e, V asserts js debug shell on TM changeset e0fc487c23f4 with -j when passed in as a CLI argument at Assertion failure: regs.sp[-1].isObject(), and crashes js opt shell at js::Interpret. Setting s-s just-in-case. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 58599:9acf849c97b4 user: Luke Wagner date: Fri Nov 19 15:09:03 2010 -0800 summary: Bug 612523 - unfuse JSOP_MOREITER; sanity returns (r=dvander,gal) Opt shell console output: (gdb) bt #0 0x00086648 in js::Interpret () #1 0x00096636 in js::Execute () #2 0x00018928 in JS_ExecuteScript () #3 0x00006309 in Process () #4 0x0000a862 in Shell () #5 0x0000adff in main () (gdb) x/i $eip 0x86648 <_ZN2js9InterpretEP9JSContextP12JSStackFramej12JSInterpMode+28808>: cmp %eax,0x4(%edx) (gdb) x/b $eax 0x2afec0 <js_IteratorClass>: 0x02 (gdb) x/b $edx 0x0: Cannot access memory at address 0x0
blocking2.0: --- → ?
Attached patch fixSplinter Review
Thinko -- inverted check emitted. This would have been obvious if pendingGuardCondition's use wasn't so far away from where its definition.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #500621 - Flags: review?(dvander)
Attachment #500621 - Flags: review?(dvander) → review+
blocking2.0: ? → betaN+
http://hg.mozilla.org/tracemonkey/rev/2e57743aeca6
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/2e57743aeca6
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::Interpret]
Luke, did this affect 1.9.2? Any reason to keep this locked?
Nope.
Group: core-security
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: