Closed
Bug 656226
Opened 14 years ago
Closed 14 years ago
TI: "Assertion failure: (uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 655950
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, testcase)
o7 = (5).__proto__
function f0(o) {
({
x: function() {
return o
}
}.x().p = function() {
x: eval("")
}, true)
}
for (i = 0;;) {
f0(o7)
}
asserts js debug shell on JM changeset fd1abc43d698 with -m and -n at Assertion failure: (uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT,
(gdb) bt
#0 0xf7fdf430 in __kernel_vsyscall ()
#1 0xf7fb5ba0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2 0x081fda8d in JS_Assert (s=0x83c791c "(uint32)l.s.tag <= (uint32)JSVAL_TAG_OBJECT", file=0x83c78a8 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsval.h", ln=500)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsutil.cpp:89
#3 0x0804ad8a in JSVAL_IS_OBJECT_OR_NULL_IMPL (l=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsval.h:500
#4 0x08059ff2 in js::Value::isObjectOrNull (this=0xf76e40b8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsvalue.h:514
#5 0x08151e25 in js_ValueToObjectOrNull (cx=0x84e4028, v=..., objp=0xffffb44c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsobj.cpp:6628
#6 0x08151fad in js_ValueToNonNullObject (cx=0x84e4028, v=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsobj.cpp:6669
#7 0x08397c92 in js::Interpret (cx=0x84e4028, entryFrame=0xf76e4080, inlineCallCount=0, interpMode=js::JSINTERP_SAFEPOINT)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/jsinterp.cpp:4275
#8 0x08354b19 in js_InternalInterpret (returnData=0xf750f070, returnType=0xffff0007, returnReg=0x82b6370, f=...)
at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/methodjit/InvokeHelpers.cpp:1621
#9 0x082b6348 in JaegerInterpoline () at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-69167-fd1abc43d698/compilePath/js/src/methodjit/MethodJIT.cpp:152
#10 0x000f4240 in ?? ()
#11 0x00000000 in ?? ()
|
Reporter | |
Comment 1•14 years ago
|
||
Pass the testcase in as a CLI argument to try to reproduce.
|
||
Comment 2•14 years ago
|
||
Hmm, can't repro. Was this fixed by bug 655950?
|
|
||
Comment 3•14 years ago
|
||
Don't have a Linux VM installed to confirm, but this hits the busted cast fixed in bug 655950, so I'm guessing that's the problem.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
||
Comment 4•13 years ago
|
||
A testcase for this bug was already added in the original bug (bug 655950).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•