Closed
Bug 568783
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ ArgToRootedString] or "Assertion failure: JSVAL_IS_DOUBLE(*vp),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 567577
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta1+ |
People
(Reporter: gkw, Assigned: Waldo)
Details
(4 keywords, Whiteboard: [ccbr][sg:dupe 567577])
Crash Data
for (let a = 0; a < 4; a++) { (function() { return encodeURIComponent })()(new isXMLName) } crashes js opt shell on TM tip with -j at ArgToRootedString and asserts js debug shell on TM tip with -j at Assertion failure: JSVAL_IS_DOUBLE(*vp), at ../jsstr.cpp:279 s-s because based on gdb output it seems to involve a scary memory location. Assuming [sg:critical?] unless otherwise noted. === Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x03012200 0x000e243e in ArgToRootedString () (gdb) bt #0 0x000e243e in ArgToRootedString () #1 0x000edd8e in str_encodeURI_Component () #2 0x005d2f6f in ?? () #3 0x00128b81 in js::ExecuteTree () #4 0x0013df0f in js::MonitorLoopEdge () #5 0x00064f50 in js_Interpret () #6 0x00065dd0 in js_Execute () #7 0x0000eeec in JS_ExecuteScript () #8 0x0000457c in Process () #9 0x0000893a in main () (gdb) x/i $eip 0xe243e <_ZL17ArgToRootedStringP9JSContextjPlj+206>: fldl (%ecx) (gdb) x/b $ecx 0x3012200: Cannot access memory at address 0x3012200
![]() |
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following regression window: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=96463282ddd6&tochange=38aae302a784 (TM merge, so no bug)
blocking2.0: --- → ?
Comment 2•14 years ago
|
||
Hmm, autoBisect doesn't automatically peer "inside" or "down both sides of" merges?
![]() |
Reporter | |
Comment 3•14 years ago
|
||
It doesn't peer in, but that's probably due to hg's bisect function. I'm not sure. The source fails to compile with the intermediate changeset so I had to include the TM-specific fix after that.
Updated•14 years ago
|
blocking2.0: ? → beta1+
Updated•14 years ago
|
Assignee: general → jwalden+bmo
Updated•14 years ago
|
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][critsmash:investigating]
Comment 4•14 years ago
|
||
Running the testcase here, I get: Assertion failed: LIR type error (start of writer pipeline): arg 1 of 'ui2uq' is 'cmovq' which has type int64 (expected int32): 0 (../nanojit/LIR.cpp:2642) so, this might be related to bug 567577.
Comment 5•14 years ago
|
||
Waldo, can you confirm that this is indeed related to bug 567577 ?
Assignee | ||
Comment 6•14 years ago
|
||
Looking now.
Assignee | ||
Comment 7•14 years ago
|
||
Shorter: for (var i = 0; i < 5; i++) { new isXMLName } This is indeed just bug 567577, the kernels of each are identical.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [ccbr][sg:critical?][critsmash:investigating] → [ccbr][sg:dupe 567577]
![]() |
Reporter | |
Updated•14 years ago
|
Flags: in-testsuite?
Updated•13 years ago
|
Crash Signature: [@ ArgToRootedString]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•