Closed Bug 513038 Opened 15 years ago Closed 15 years ago

TM: Crash [@ LeaveTree] [@ js_DeepBail] or "Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 510642
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [sg:dupe 510642][ccbr])

Crash Data

function f() { let c try { (eval("\ (function(){\ with(\ __defineGetter__(\"x\", function() { for(a = 0; a < 3 ; a++){ c = a }})\ ){}\ })\ "))() } catch(e) {} } f() print(x) crashes js opt shell with -j on TM branch at LeaveTree / js_DeepBail and asserts js debug shell with -j at Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp Setting security-sensitive because stack has unknown locations in it. autoBisect shows it is probably related to bug 495329 : The first bad revision is: changeset: 30697:60a9ef4e1a3d user: David Mandelin date: Mon Jul 27 18:13:53 2009 -0700 summary: Bug 495329: Trace JSOP_BINDNAME/JSOP_SETNAME for closures, r=brendan ===== Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000034 Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x000efc16 LeaveTree(InterpState&, VMSideExit*) + 54 1 js-opt-tm-darwin 0x000f052e js_DeepBail + 46 2 js-opt-tm-darwin 0x0001e224 js_ReportErrorNumberVA + 84 3 js-opt-tm-darwin 0x0000ccd0 JS_ReportErrorNumber + 64 4 js-opt-tm-darwin 0x0000db5f JS_SetReservedSlot + 127 5 js-opt-tm-darwin 0x00045fe3 CallPropertyOp(JSContext*, JSObject*, long, long*, JSCallPropertyKind, int) + 547 6 js-opt-tm-darwin 0x00046369 js_SetCallVar + 41 7 ??? 0x001f0faf 0 + 2035631 8 ??? 0xbfffecb8 0 + 3221220536 9 js-opt-tm-darwin 0x0010793a js_MonitorLoopEdge(JSContext*, unsigned int&) + 2250 10 js-opt-tm-darwin 0x00059cc7 js_Interpret + 54295 11 js-opt-tm-darwin 0x0005cb80 js_Invoke + 1488 12 js-opt-tm-darwin 0x0005d40b js_InternalInvoke + 139 13 js-opt-tm-darwin 0x0005d690 js_InternalGetOrSet + 192 14 js-opt-tm-darwin 0x00067f5e js_NativeGet + 526 15 js-opt-tm-darwin 0x00054089 js_Interpret + 30681 16 js-opt-tm-darwin 0x0005c342 js_Execute + 370 17 js-opt-tm-darwin 0x0000df4c JS_ExecuteScript + 60 18 js-opt-tm-darwin 0x00004170 Process(JSContext*, JSObject*, char*, int) + 1616 19 js-opt-tm-darwin 0x000072ef main + 879 20 js-opt-tm-darwin 0x0000186b _start + 209 21 js-opt-tm-darwin 0x00001799 start + 41
Flags: blocking1.9.2?
Whiteboard: [ccbr]
Testcase reposted to prevent 80-char problems in b.m.o: function f() { let c try { (eval("\ (function(){\ with(\ __defineGetter__(\"x\", function(){for(a = 0; a < 3; a++){c=a}})\ ){}\ })\ "))() } catch(e) {} } f() print(x) Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp:1001
Copied from IRC for later reference: >nth10sd: autoBisect fingers patch in bug 495329 is probably related >nth10sd: might be related to bug 510642 though
WFM as e13689f56ee1, so it most likely was part of bug 510642. I added this test case to trace-tests and pushed to TM as bd52aa0c5397.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
(In reply to comment #4) > I added this test case to trace-tests and pushed to TM as bd52aa0c5397. in-testsuite+
Flags: in-testsuite+
Clearing nom flag on this dupe.
Flags: blocking1.9.2?
Group: core-security
status1.9.1: --- → unaffected
Whiteboard: [ccbr] → [sg;dupe 510642][ccbr]
Whiteboard: [sg;dupe 510642][ccbr] → [sg:dupe 510642][ccbr]
js/src/trace-test/tests/basic/bug513038.js v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Crash Signature: [@ LeaveTree] [@ js_DeepBail]
You need to log in before you can comment on or make changes to this bug.