Closed
Bug 690285
Opened 13 years ago
Closed 13 years ago
JM: "Assertion failure: asCall().maybeStackFrame() != NULL," with trap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-needed)
Attachments
(1 file)
|
7.10 KB,
text/plain
|
Details |
function g(s) {
var c;
return eval(s);
}
f = g("\
(function() {\
for each(let w in []) {\
let(w) {\
for (a = 0; a < 2; ++a) {\
if (a % 11 == 2) {\
(NaN);\
} else {\
({\
a1: 1\
});\
}\
}\
}\
}\
});\
");
var o = {}.__proto__
for (var i = 0; i < 2; i++) {
var props = Object.getOwnPropertyNames(o)
var prop = props[props.length - 1] + "p"
o[prop] = Uint8ClampedArray()
}
dis(f)
trap(f, 107, '')
f()
asserts js debug shell on JM changeset 44ef245b8706 with -m, -a and -d at Assertion failure: asCall().maybeStackFrame() != NULL,
Sometimes removing the "var c;" line near the top causes Assertion failure: !obj->isBlock(), but doesn't occur with this testcase.
|
Reporter | |
Comment 1•13 years ago
|
||
Tested on 64-bit Mac OS X 10.6 js shell.
|
|
Reporter | |
Comment 2•13 years ago
|
||
Also occurs on 32-bit Mac m-c rev dbb129f069b1.
|
|
Reporter | |
Comment 3•13 years ago
|
||
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
|
||
Comment 4•13 years ago
|
||
When JS_GetFrameScopeChain is called via the trap, it changes the layout of the scope chain and causes the BINDNAME IC to push the wrong object.
|
|
Reporter | |
Comment 5•13 years ago
|
||
Probably fixed by bug 706611. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 81128:d32ccb2b8a05 user: Brian Hackett date: Thu Dec 01 15:13:51 2011 -0800 summary: Remove JSOP_NOTRACE, rename JSOP_TRACE -> JSOP_LOOPHEAD, bug 706611. r=dvander
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•