Closed
Bug 568783
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ ArgToRootedString] or "Assertion failure: JSVAL_IS_DOUBLE(*vp),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 567577
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta1+ |
People
(Reporter: gkw, Assigned: Waldo)
Details
(4 keywords, Whiteboard: [ccbr][sg:dupe 567577])
Crash Data
for (let a = 0; a < 4; a++) {
(function() {
return encodeURIComponent
})()(new isXMLName)
}
crashes js opt shell on TM tip with -j at ArgToRootedString and asserts js debug shell on TM tip with -j at Assertion failure: JSVAL_IS_DOUBLE(*vp), at ../jsstr.cpp:279
s-s because based on gdb output it seems to involve a scary memory location. Assuming [sg:critical?] unless otherwise noted.
===
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x03012200
0x000e243e in ArgToRootedString ()
(gdb) bt
#0 0x000e243e in ArgToRootedString ()
#1 0x000edd8e in str_encodeURI_Component ()
#2 0x005d2f6f in ?? ()
#3 0x00128b81 in js::ExecuteTree ()
#4 0x0013df0f in js::MonitorLoopEdge ()
#5 0x00064f50 in js_Interpret ()
#6 0x00065dd0 in js_Execute ()
#7 0x0000eeec in JS_ExecuteScript ()
#8 0x0000457c in Process ()
#9 0x0000893a in main ()
(gdb) x/i $eip
0xe243e <_ZL17ArgToRootedStringP9JSContextjPlj+206>: fldl (%ecx)
(gdb) x/b $ecx
0x3012200: Cannot access memory at address 0x3012200
|
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following regression window: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=96463282ddd6&tochange=38aae302a784 (TM merge, so no bug)
blocking2.0: --- → ?
|
||
Comment 2•14 years ago
|
||
Hmm, autoBisect doesn't automatically peer "inside" or "down both sides of" merges?
|
|
Reporter | |
Comment 3•14 years ago
|
||
It doesn't peer in, but that's probably due to hg's bisect function. I'm not sure. The source fails to compile with the intermediate changeset so I had to include the TM-specific fix after that.
|
||
Updated•14 years ago
|
blocking2.0: ? → beta1+
|
|
||
Updated•14 years ago
|
Assignee: general → jwalden+bmo
|
||
Updated•14 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
|
||
Comment 4•14 years ago
|
||
Running the testcase here, I get: Assertion failed: LIR type error (start of writer pipeline): arg 1 of 'ui2uq' is 'cmovq' which has type int64 (expected int32): 0 (../nanojit/LIR.cpp:2642) so, this might be related to bug 567577.
|
|
||
Comment 5•14 years ago
|
||
Waldo, can you confirm that this is indeed related to bug 567577 ?
|
Assignee | |
Comment 6•14 years ago
|
||
Looking now.
|
|
Assignee | |
Comment 7•14 years ago
|
||
Shorter:
for (var i = 0; i < 5; i++) { new isXMLName }
This is indeed just bug 567577, the kernels of each are identical.Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:dupe 567577]
|
|
Reporter | |
Updated•14 years ago
|
Flags: in-testsuite?
|
||
Updated•13 years ago
|
Crash Signature: [@ ArgToRootedString]
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•