Closed
Bug 580913
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js::Mark] or "Assertion failure: thing,"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
function f1(code) {
var f = new Function(code)
f2(code)
f()
}
function f2(f, code) {
f3(code)
}
function f3()
__defineGetter__("x", gc)
f1("for(y in[0]){x}")
f1("for each(let c in[0,x]){(0)}")
asserts js debug shell on JM changeset 7c6f62fcbd91 with -m at Assertion failure: thing, at ../jsgc.cpp:2161 and crashes js opt shell at js::Mark
Program received signal SIGSEGV, Segmentation fault.
0x080a42c8 in js::Mark(JSTracer*, void*, unsigned int) ()
(gdb) bt
#0 0x080a42c8 in js::Mark(JSTracer*, void*, unsigned int) ()
#1 0xffffcbc4 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
=> 0x80a42c8 <_ZN2js4MarkEP8JSTracerPvj+440>: mov 0x8(%eax),%edx
(gdb) x/b $eax
0x0: Cannot access memory at address 0x0
|
||
Comment 1•14 years ago
|
||
Works for me on moo tip 64-bit, but fails on 32-bit.
|
|
||
Comment 2•14 years ago
|
||
Also fails when ICs are disabled.
Another fixed by bug 583084.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
|
Reporter | |
Comment 4•14 years ago
|
||
(In reply to comment #3)
> Another fixed by bug 583084.
Known fixes should be resolved FIXED.
Resolution: WORKSFORME → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ js::Mark]
You need to log in
before you can comment on or make changes to this bug.
Description
•