Closed
Bug 800410
Opened 13 years ago
Closed 13 years ago
[jsdbg2] Assertion failure: isObject(), at ../../jsapi.h:477 or Crash [@ js::InvokeKernel]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: decoder, Assigned: jorendorff)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
2.71 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 5cca0408a73f (run with --ion-eager):
var g = newGlobal('new-compartment');
var dbg = new Debugger;
var gw = dbg.addDebuggee(g);
g.eval("function gf() { return 12; }\n" +
"function sf(v) { value = v; }\n");
var gfw = (eval("var MYVAR; if ( new Boolean(true) ) MYVAR='PASSED'; MYVAR"));
var sfw = gw.getOwnPropertyDescriptor("sf").value;
gw.defineProperties({x: {configurable: true, get: gfw, set: sfw}});
assertEq(g.x, 12);
|
Reporter | |
Comment 1•13 years ago
|
||
Crash trace:
==49853== Invalid read of size 8
==49853== at 0x497956: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsscope.h:600)
==49853== by 0x4980EC: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:109)
==49853== by 0x4981AA: js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:484)
==49853== by 0x4A665F: js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) (jsscopeinlines.h:295)
==49853== by 0x4ACA46: js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobj.cpp:4228)
==49853== by 0x4098C4: JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobjinlines.h:171)
==49853== by 0x4D0F00: js::DirectProxyHandler::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) (jsproxy.cpp:587)
==49853== by 0x52D1CF: js::DirectWrapper::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) (jswrapper.cpp:358)
==49853== by 0x52F394: js::CrossCompartmentWrapper::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) (in /srv/repos/mozilla-central/js/src/opt64/shell/js)
==49853== by 0x4D4010: js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsproxy.cpp:2378)
==49853== by 0x4D40E8: proxy_GetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsproxy.cpp:2647)
==49853== by 0x4098AD: JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) (jsobjinlines.h:168)
==49853== Address 0x68 is not stack'd, malloc'd or (recently) free'd
jsdbg2 only, not security-related therefore.
|
Assignee | |
Comment 2•13 years ago
|
||
Assignee: general → jorendorff
Attachment #682200 -
Flags: review?(jimb)
|
||
Comment 3•13 years ago
|
||
Comment on attachment 682200 [details] [diff] [review]
v1
Review of attachment 682200 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jit-test/tests/debug/Object-defineProperty-13.js
@@ +3,5 @@
> +var g = newGlobal('new-compartment');
> +var dbg = new Debugger;
> +var gw = dbg.addDebuggee(g);
> +
> +for (let v of [null, false, 'bad', 0, 2.76, {}]) {
Among those you could have chosen, the number 2.76 seems to me rather a dull one; I hope it is not an unfavorable omen.
http://en.wikipedia.org/wiki/1729_%28number%29
Attachment #682200 -
Flags: review?(jimb) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d675239f3ca7
I have no incredibly clever factoid in my pocket about 2.76. Sorry.
|
||
Comment 5•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in
before you can comment on or make changes to this bug.
Description
•