Closed
Bug 760460
Opened 13 years ago
Closed 12 years ago
Assertion failure: i < argc_, at ../dist/include/js/CallArgs.h:283 or Crash [@ ToPrimitive] with line2pc
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
People
(Reporter: decoder, Assigned: evilpies)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [js:p3] [jsbugmon:testComment=4])
Attachments
(1 file)
|
1.15 KB,
text/plain
|
Details |
The following test crashes on mozilla-central revision 73783bf75c4c (options -m -n):
function enterFunc (funcName) {}
function stringify(a) {}
var y = {};
try { assertEq(stringify(y), "foo"); } catch (exc1) {}
enterFunc ('test');
line2pc (enterFunc);
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000424b2c in JSString::isAtom (this=0x7fff000e0002) at /srv/repos/mozilla-central/js/src/vm/String.h:352
352 bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS;
(gdb) bt
#0 0x0000000000424b2c in JSString::isAtom (this=0x7fff000e0002) at /srv/repos/mozilla-central/js/src/vm/String.h:352
#1 0x000000000042831c in js::CompartmentChecker::check (this=0x7fffffffca20, str=0x7fff000e0002) at ../jscntxtinlines.h:265
#2 0x00000000004283b2 in js::CompartmentChecker::check (this=0x7fffffffca20, v=...) at ../jscntxtinlines.h:273
#3 0x000000000044dfe9 in js::assertSameCompartment<JS::Value> (cx=0xc08c20, t1=...) at ../jscntxtinlines.h:335
#4 0x000000000042c601 in JS_ValueToECMAUint32 (cx=0xc08c20, v=..., ip=0x7fffffffcaa8) at /srv/repos/mozilla-central/js/src/jsapi.cpp:556
#5 0x000000000040badd in LineToPC (cx=0xc08c20, argc=1, vp=0x7ffff63fb0a0) at /srv/repos/mozilla-central/js/src/shell/js.cpp:1516
Likely debug-only since line2pc is a debug function.
|
||
Comment 1•13 years ago
|
||
If the first argument is a function, line2pc assumes there's a second argument (line number). So we try to convert some garbage Value to uint32 and crash.
Whiteboard: js-triage-needed → js-triage-done
|
||
Updated•13 years ago
|
Whiteboard: js-triage-done → [js:p3]
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [js:p3] → [js:p3][jsbugmon:update]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:p3][jsbugmon:update] → [js:p3] [jsbugmon:]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: Cannot process bug: Unknown exception (check manually)
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:p3] [jsbugmon:] → [js:p3] [jsbugmon:update]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:p3] [jsbugmon:update] → [js:p3] [jsbugmon:]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Cannot process bug: Unknown exception (check manually)
|
|
Reporter | |
Comment 4•12 years ago
|
||
We still have various assertions and crashes around line2pc. A test as simple as
function f() {};
line2pc(f);
asserts or crashes on mozilla-central rev 8f9ba85eb61c. I'll attach a signature here to ignore the bug, but this should be fixed nevertheless.
Keywords: assertion
Summary: Crash [@ JSString::isAtom] with line2pc → Assertion failure: i < argc_, at ../dist/include/js/CallArgs.h:283 or Crash [@ ToPrimitive] with line2pc
Whiteboard: [js:p3] [jsbugmon:] → [js:p3] [jsbugmon:update,testComment=4]
|
|
Reporter | |
Comment 5•12 years ago
|
||
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:p3] [jsbugmon:update,testComment=4] → [js:p3] [jsbugmon:update,testComment=4,ignore]
|
|
Reporter | |
Comment 6•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 396e59370945).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:p3] [jsbugmon:update,testComment=4,ignore] → [js:p3] [jsbugmon:bisectfix,testComment=4]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:p3] [jsbugmon:bisectfix,testComment=4] → [js:p3] [jsbugmon:testComment=4]
|
|
Reporter | |
Comment 7•12 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/4d7fc1075878
user: Tom Schuster
date: Fri Nov 01 20:44:05 2013 +0100
summary: Bug 933810 - Really remove JS_ValueToECMAUint32. r=terrence f=mccr8
This iteration took 427.495 seconds to run.
|
Assignee | |
Comment 8•12 years ago
|
||
Yep, I changed to code to use args.get(), which is safe.
|
|
Reporter | |
Comment 9•12 years ago
|
||
(In reply to Tom Schuster [:evilpie] from comment #8)
> Yep, I changed to code to use args.get(), which is safe.
Thanks Tom!
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
|
|
||
Comment 10•11 years ago
|
||
Assertion failure reproducible on Ubuntu 12.10 x86_x64 with the 10/31 Fx28 js shell and both testcases (comments 0 and 4):
Assertion failure: i < argc_, at ../../../dist/include/js/CallArgs.h:318
Segmentation fault (core dumped)
Verified as fixed with the 02/04 Fx28 and 02/05 Fx30 js shells in the same environment.
Status: RESOLVED → VERIFIED
Keywords: verifyme
|
|
||
Comment 11•11 years ago
|
||
Socorro shows 23 crashes with this signature (@ ToPrimitive), all on Windows and all before Firefox 28.
You need to log in
before you can comment on or make changes to this bug.
Description
•