TI: Assertion failure: top->isType(JSVAL_TYPE_OBJECT) // Crash @ [JSString::isLinear]

RESOLVED DUPLICATE of bug 645629

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 645629
7 years ago
7 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
The following code crashes on TI tip when run with -m -n -a (tested on 64 bit):

CompareSplit( "hello", "hellothere" );
CompareSplit( new String("hello" ) );
function CompareSplit( string, separator ) {
  split_1 = string.split( separator );
  while (true ) {
  }
}

0x0000000000412d02 in JSString::isLinear (this=0x0) at ./jsstr.h:283
283             return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS;
(gdb) bt
#0  0x0000000000412d02 in JSString::isLinear (this=0x0) at ./jsstr.h:283
#1  0x0000000000412e0a in JSLinearString::chars (this=0x0) at ./jsstr.h:407
#2  0x000000000051d4df in js_CheckForStringIndex (id={asBits = 0}) at jsobj.cpp:4578
#3  0x000000000051f7fc in js_GetPropertyHelperWithShapeInline (cx=0xebfbe0, obj=0x7fe891a10058, receiver=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30, 
    shapeOut=0x7fffe6bb2e68, holderOut=0x7fffe6bb2e60) at jsobj.cpp:5437
#4  0x000000000051fcd3 in js_GetPropertyHelperInline (cx=0xebfbe0, obj=0x7fe891a10058, receiver=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30) at jsobj.cpp:5545
#5  0x000000000051fd21 in js_GetPropertyHelper (cx=0xebfbe0, obj=0x7fe891a10058, id={asBits = 0}, getHow=3, vp=0x7fffe6bb2f30) at jsobj.cpp:5551
#6  0x000000000077de91 in js::mjit::stubs::CallProp (f=@0x7fffe6bb2fa0, origAtom=0x0) at ./methodjit/StubCalls.cpp:2131


When omitting the "while (true) {}" in the code, the assertion pops up instead. This could be related or duplicate to 645985.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 645629
(Reporter)

Updated

7 years ago
Blocks: 676763
You need to log in before you can comment on or make changes to this bug.