Closed
Bug 513038
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ LeaveTree] [@ js_DeepBail] or "Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 510642
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(5 keywords, Whiteboard: [sg:dupe 510642][ccbr])
Crash Data
function f() {
let c
try {
(eval("\
(function(){\
with(\
__defineGetter__(\"x\", function() { for(a = 0; a < 3 ; a++){ c = a }})\
){}\
})\
"))()
} catch(e) {}
}
f()
print(x)
crashes js opt shell with -j on TM branch at LeaveTree / js_DeepBail and asserts js debug shell with -j at Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp
Setting security-sensitive because stack has unknown locations in it.
autoBisect shows it is probably related to bug 495329 :
The first bad revision is:
changeset: 30697:60a9ef4e1a3d
user: David Mandelin
date: Mon Jul 27 18:13:53 2009 -0700
summary: Bug 495329: Trace JSOP_BINDNAME/JSOP_SETNAME for closures, r=brendan
=====
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000034
Crashed Thread: 0
Thread 0 Crashed:
0 js-opt-tm-darwin 0x000efc16 LeaveTree(InterpState&, VMSideExit*) + 54
1 js-opt-tm-darwin 0x000f052e js_DeepBail + 46
2 js-opt-tm-darwin 0x0001e224 js_ReportErrorNumberVA + 84
3 js-opt-tm-darwin 0x0000ccd0 JS_ReportErrorNumber + 64
4 js-opt-tm-darwin 0x0000db5f JS_SetReservedSlot + 127
5 js-opt-tm-darwin 0x00045fe3 CallPropertyOp(JSContext*, JSObject*, long, long*, JSCallPropertyKind, int) + 547
6 js-opt-tm-darwin 0x00046369 js_SetCallVar + 41
7 ??? 0x001f0faf 0 + 2035631
8 ??? 0xbfffecb8 0 + 3221220536
9 js-opt-tm-darwin 0x0010793a js_MonitorLoopEdge(JSContext*, unsigned int&) + 2250
10 js-opt-tm-darwin 0x00059cc7 js_Interpret + 54295
11 js-opt-tm-darwin 0x0005cb80 js_Invoke + 1488
12 js-opt-tm-darwin 0x0005d40b js_InternalInvoke + 139
13 js-opt-tm-darwin 0x0005d690 js_InternalGetOrSet + 192
14 js-opt-tm-darwin 0x00067f5e js_NativeGet + 526
15 js-opt-tm-darwin 0x00054089 js_Interpret + 30681
16 js-opt-tm-darwin 0x0005c342 js_Execute + 370
17 js-opt-tm-darwin 0x0000df4c JS_ExecuteScript + 60
18 js-opt-tm-darwin 0x00004170 Process(JSContext*, JSObject*, char*, int) + 1616
19 js-opt-tm-darwin 0x000072ef main + 879
20 js-opt-tm-darwin 0x0000186b _start + 209
21 js-opt-tm-darwin 0x00001799 start + 41
Flags: blocking1.9.2?
Reporter | ||
Updated•15 years ago
|
Whiteboard: [ccbr]
Reporter | ||
Comment 1•15 years ago
|
||
Related to bug 510642?
Reporter | ||
Comment 2•15 years ago
|
||
Testcase reposted to prevent 80-char problems in b.m.o:
function f() {
let c
try {
(eval("\
(function(){\
with(\
__defineGetter__(\"x\", function(){for(a = 0; a < 3; a++){c=a}})\
){}\
})\
"))()
} catch(e) {}
}
f()
print(x)
Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp:1001
Comment 3•15 years ago
|
||
Copied from IRC for later reference:
>nth10sd: autoBisect fingers patch in bug 495329 is probably related
>nth10sd: might be related to bug 510642 though
Comment 4•15 years ago
|
||
WFM as e13689f56ee1, so it most likely was part of bug 510642.
I added this test case to trace-tests and pushed to TM as bd52aa0c5397.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 5•15 years ago
|
||
(In reply to comment #4)
> I added this test case to trace-tests and pushed to TM as bd52aa0c5397.
in-testsuite+
Flags: in-testsuite+
Comment 7•15 years ago
|
||
status1.9.2:
--- → beta1-fixed
Flags: wanted1.9.2+
Updated•15 years ago
|
Updated•15 years ago
|
Whiteboard: [sg;dupe 510642][ccbr] → [sg:dupe 510642][ccbr]
Comment 8•15 years ago
|
||
js/src/trace-test/tests/basic/bug513038.js
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Updated•13 years ago
|
Crash Signature: [@ LeaveTree]
[@ js_DeepBail]
You need to log in
before you can comment on or make changes to this bug.
Description
•