Closed
Bug 502714
Opened 15 years ago
Closed 15 years ago
TM: Assertion failure: isNumber(*p) == (t == TT_DOUBLE)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 502604
People
(Reporter: aaronmt, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:dupe 502604])
Attachments
(1 file)
(deleted),
text/plain
|
Details |
TM: Assertion failure:isNumber(*p) == (t == TT_DOUBLE), at
/Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331
#0 JS_Assert (s=0x70 <Address 0x70 out of bounds>, file=0x70 <Address 0x70 out of bounds>, ln=112) at /Users/mozilla/mozilla-central/js/src/jsutil.cpp:69
#1 0x0037d5bf in TraceRecorder::import (this=0x1daf8e50, base=0x15d69d3c, offset=596, p=0x1daeb3b4, t=TT_STRING, prefix=0x402388 "global", index=4, fp=0x0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331
#2 0x00398552 in VisitGlobalSlots<ImportGlobalSlotVisitor> [inlined] () at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2399
#3 0x00398552 in TraceRecorder::import (this=0x1daf8e50, treeInfo=0x1daf8a60, sp=0x15d69d5c, stackSlots=9, ngslots=9, callDepth=1, typeMap=0x126ca5c0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2512
#4 0x00398ff5 in TraceRecorder::TraceRecorder (this=0x1daf8e50, cx=0xaad000, _anchor=0x15d6aaac, _fragment=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, innermostNestedGuard=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1629
#5 0x003994f3 in js_StartRecorder (cx=0xaad000, anchor=0x15d6aaac, f=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, expectedInnerExit=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1648
#6 0x00399877 in js_AttemptToExtendTree (cx=0xaad000, anchor=0x1daf8d00, exitedFrom=0x15a5d8a8, outer=0x15c0c823 "?;\n.?") at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4664
#7 0x0039b17f in js_RecordLoopEdge (cx=0x1daf8e50, r=0x1daf8e90, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4786
#8 0x0039b32a in js_MonitorLoopEdge (cx=0xaad000, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:5439
#9 0x002cc6f9 in js_Interpret (cx=0xaad000) at /Users/mozilla/mozilla-central/js/src/jsinterp.cpp:3944
#10 0x002d07d2 in js_Execute (cx=0xaad000, chain=0x1aa090a0, script=0x15c08000, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1661
...
Occurs on Mac/Windows/Linux 1.9.2
See attached reduced testcase
Reporter | ||
Comment 1•15 years ago
|
||
Reporter | ||
Updated•15 years ago
|
Summary: TM: Assertion failure:isNumber(*p) == (t == TT_DOUBLE) → TM: Assertion failure: isNumber(*p) == (t == TT_DOUBLE)
Reporter | ||
Comment 2•15 years ago
|
||
Most likely related is bug 502604
Comment 3•15 years ago
|
||
David, can you take a look?
Updated•15 years ago
|
Flags: blocking1.9.1.1?
Comment 4•15 years ago
|
||
This is crashing 3.5. 502604 is probably a dup. I suggest blocking 3.5.1 on this at least until we know the cause.
Updated•15 years ago
|
Group: core-security
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment 6•15 years ago
|
||
Comment on attachment 387064 [details]
testcase
js testcases should have MIME type text/plain.
Attachment #387064 -
Attachment mime type: application/x-javascript → text/plain
Comment 7•15 years ago
|
||
I'll be attaching a fully reduced testcase soon - along with autoBisect results.
Comment 8•15 years ago
|
||
for each(z in ['', 0, '', '']) {
for (let x = 0; x < 3; ++x) {
let y = x;
print(y || (z *= String))
}
}
This asserts Assertion failure: isNumber(*p) == (t == TT_DOUBLE), at ../jstracer.cpp:2331 with -j and does not assert without. It does seem to be fixed by the patch in bug 502604.
autoBisect shows this is probably related to bug 452498:
The first bad revision is:
changeset: 26784:2cf0bbe3772a
user: Brendan Eich
date: Sun Apr 05 21:17:22 2009 -0700
summary: upvar2, aka the big one take 2 (452498, r=mrbkap).
Blocks: upvar2
Flags: in-testsuite?
Comment 9•15 years ago
|
||
I think the upvar2 relation is incidental.
/be
Updated•15 years ago
|
Flags: blocking1.9.1.1?
Updated•15 years ago
|
Whiteboard: [sg:dupe 502604]
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•