Closed
Bug 1141338
Opened 10 years ago
Closed 10 years ago
Crash [@ JS::ObjectOpResult::reportStrictErrorOrWarning] or Assertion failure: (objBits >> 47) == 0, at dist/include/js/Value.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1141154
Tracking | Status | |
---|---|---|
firefox39 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file)
(deleted),
text/plain
|
Details |
z = [];
m = evalcx("");
Object.freeze(m)
for each(l in [{}, {}]) {
m.s = ""
}
asserts js debug shell on m-c changeset fecf1afb0830 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: (objBits >> 47) == 0, at dist/include/js/Value.h with variants crashing at JS::ObjectOpResult::reportStrictErrorOrWarning.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh ~/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r fecf1afb0830
Opt builds crash similar to bug 1141154, except that this testcase does not involve Debugger.
Jason, is bug 1113369 a likely regressor?
Flags: needinfo?(jorendorff)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt
* thread #1: tid = 0x17ab36, 0x000000010001bcdb js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::Value::setObject(JSObject&) [inlined] OBJECT_TO_JSVAL_IMPL(obj=<unavailable>) + 150 at Value.h:829, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010001bcdb js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::Value::setObject(JSObject&) [inlined] OBJECT_TO_JSVAL_IMPL(obj=<unavailable>) + 150 at Value.h:829
frame #1: 0x000000010001bc45 js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::Value::setObject(this=<unavailable>, obj=<unavailable>) + 53 at Value.h:1057
frame #2: 0x000000010074623f js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::ObjectOpResult::reportStrictErrorOrWarning(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool) [inlined] JS::ObjectValue(obj=<unavailable>) + 5 at Value.h:1474
frame #3: 0x000000010074623a js-dbg-64-dm-nsprBuild-darwin-fecf1afb0830`JS::ObjectOpResult::reportStrictErrorOrWarning(this=0x00007fff5fbfe8f0, cx=0x0000000101f02740, strict=<unavailable>, obj=<unavailable>, id=<unavailable>) + 170 at jsapi.cpp:151
(lldb)
Comment 2•10 years ago
|
||
Could be a dup of bug 1141154.
Comment 4•10 years ago
|
||
I added the test case in comment 0 to my patch in bug 1141154.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•