Closed Bug 645991 Opened 14 years ago Closed 14 years ago

TI: Assertion failure: top->isType(JSVAL_TYPE_OBJECT) // Crash @ [JSString::isLinear]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 645629

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

The following code crashes on TI tip when run with -m -n -a (tested on 64 bit): CompareSplit( "hello", "hellothere" ); CompareSplit( new String("hello" ) ); function CompareSplit( string, separator ) { split_1 = string.split( separator ); while (true ) { } } 0x0000000000412d02 in JSString::isLinear (this=0x0) at ./jsstr.h:283 283 return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS; (gdb) bt #0 0x0000000000412d02 in JSString::isLinear (this=0x0) at ./jsstr.h:283 #1 0x0000000000412e0a in JSLinearString::chars (this=0x0) at ./jsstr.h:407 #2 0x000000000051d4df in js_CheckForStringIndex (id={asBits = 0}) at jsobj.cpp:4578 #3 0x000000000051f7fc in js_GetPropertyHelperWithShapeInline (cx=0xebfbe0, obj=0x7fe891a10058, receiver=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30, shapeOut=0x7fffe6bb2e68, holderOut=0x7fffe6bb2e60) at jsobj.cpp:5437 #4 0x000000000051fcd3 in js_GetPropertyHelperInline (cx=0xebfbe0, obj=0x7fe891a10058, receiver=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30) at jsobj.cpp:5545 #5 0x000000000051fd21 in js_GetPropertyHelper (cx=0xebfbe0, obj=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30) at jsobj.cpp:5551 #6 0x000000000077de91 in js::mjit::stubs::CallProp (f=@0x7fffe6bb2fa0, origAtom=0x0) at ./methodjit/StubCalls.cpp:2131 When omitting the "while (true) {}" in the code, the assertion pops up instead. This could be related or duplicate to 645985.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.