TM: Crash [@ js::VisitFrameSlots] or "Assertion failure: *(uint32 *)slot != 0,"

RESOLVED DUPLICATE of bug 627692

Status

()

--
critical
RESOLVED DUPLICATE of bug 627692
8 years ago
5 years ago

People

(Reporter: gkw, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+)

Details

(Whiteboard: [ccbr][sg:critical?][hardblocker], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Created attachment 505760 [details]
console output

function a() {}
function f(code) {
    var g = Function(code);
    try {
        g()
    } catch (r) {}
}
b = []
c = []
d = (function () {
    try {
        (function () {
            for (e = 0; e < 1; e++) {
                x
            }
        })()
    } catch (r) {}
})()
f("\
  for(m = 0; m < 1; m++) {\
    n\
  }\
")
for (p = 0; p < 1; p++) {}
q = 4
__defineGetter__("x", function (r) {
    for (var t in this) {}
    return this
})
f("\
  for each(var s in x) {\
    var t;\
    var u;\
  }\
")

crashes js opt shell on TM changeset aa618e93942e with -j at js::VisitFrameSlots and asserts js debug shell with -j at Assertion failure: *(uint32 *)slot != 0

Assuming s-s just-in-case.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   60455:284811f39ca6
tag:         tip
user:        David Anderson
date:        Fri Jan 14 17:15:21 2011 -0800
summary:     Get rid of value snapshotting in value iterators (bug 624421, r=luke,gal).
(Reporter)

Updated

8 years ago
blocking2.0: --- → ?

Updated

8 years ago
blocking2.0: ? → final+
(Assignee)

Updated

8 years ago
Assignee: general → jorendorff
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][hardblocker]
(Assignee)

Comment 1

8 years ago
Duping forward to the bug that has the patch.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 627692
Crash Signature: [@ js::VisitFrameSlots]
Group: core-security
You need to log in before you can comment on or make changes to this bug.