Closed Bug 546668 Opened 15 years ago Closed 15 years ago

Crash [@ obj_eval] or "Assertion failure: FUN_INTERPRETED(this), at ../../jsfun.h" with defineSetter, watch, eval

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords, Whiteboard: [ccbr] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix, add test
(deleted), patch
mrbkap
: review+
Details | Diff | Splinter Review
__defineSetter__("x", function(){}); eval(this.watch("x", eval)); x = 0; crashes js opt shell without -j on TM tip at obj_eval near null, and asserts js debug shell without -j on TM tip at Assertion failure: FUN_INTERPRETED(this), at ../../jsfun.h:173 autoBisect shows this is probably related to bug 542797: The first bad revision is: changeset: 38067:e91417e33a53 user: Luke Wagner date: Tue Feb 16 17:41:39 2010 -0800 summary: Bug 542797 - change obj_eval from JSNative to JSFastNative (r=mrbkap) ===== js opt shell crash stack: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x000000000000002a Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 js-opt-32-tm-darwin 0x000736a7 obj_eval(JSContext*, unsigned int, long*) + 407 1 js-opt-32-tm-darwin 0x0005ffe0 js_Invoke + 1744 2 js-opt-32-tm-darwin 0x0006083c js_InternalInvoke + 140 3 js-opt-32-tm-darwin 0x00067419 obj_watch_handler(JSContext*, JSObject*, long, long, long*, void*) + 249 4 js-opt-32-tm-darwin 0x0002964c js_watch_set + 236 5 js-opt-32-tm-darwin 0x0005fdac js_Invoke + 1180 6 js-opt-32-tm-darwin 0x0006083c js_InternalInvoke + 140 7 js-opt-32-tm-darwin 0x00060a73 js_InternalGetOrSet + 115 8 js-opt-32-tm-darwin 0x00069396 js_NativeSet + 214 9 js-opt-32-tm-darwin 0x0006ca44 js_SetPropertyHelper + 932 10 js-opt-32-tm-darwin 0x0004ffe0 js_Interpret + 2624 11 js-opt-32-tm-darwin 0x0005f5c1 js_Execute + 625 12 js-opt-32-tm-darwin 0x0000d6fc JS_ExecuteScript + 60 13 js-opt-32-tm-darwin 0x00004598 Process(JSContext*, JSObject*, char*, int) + 1336 14 js-opt-32-tm-darwin 0x00008526 main + 1734 15 js-opt-32-tm-darwin 0x0000243d _start + 208 16 js-opt-32-tm-darwin 0x0000236c start + 40
Ah, thanks for the simple test case! When removing the slow native's frame, I assumed the line: caller = js_GetScriptedCaller(cx, cx->fp) was really just doing 'caller = cx->fp->down' (I think I even tested this by adding an assert and running it through), but this is wrong if cx->fp->down->down is not interpreted which, as Gary's testcase demonstrates, is quite possible.
Attached patch fix, add test (deleted) — Splinter Review
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #427363 - Flags: review?(mrbkap)
Comment on attachment 427363 [details] [diff] [review] fix, add test I should have seen this.
Attachment #427363 - Flags: review?(mrbkap) → review+
http://hg.mozilla.org/tracemonkey/rev/5a50a2d0fc0f
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/5a50a2d0fc0f
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey → [ccbr] fixed-in-tracemonkey
Crash Signature: [@ obj_eval]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: