Closed Bug 584659 Opened 14 years ago Closed 14 years ago

JM: Crash [@ JSObject::getClass] or [@ js_ValueToIterator]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 584607

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Iterator((function () {
    function a() {}
    return a++
})())

crashes js debug shell on JM changeset 6347cf00d3ab with -m at JSObject::getClass and crashes js opt shell at js_ValueToIterator


Program received signal SIGSEGV, Segmentation fault.
0x08055adc in JSObject::getClass (this=0x0) at ../../jsobj.h:291
291	        return clasp;
(gdb) bt
#0  0x08055adc in JSObject::getClass (this=0x0) at ../../jsobj.h:291
#1  0x080df886 in js_ValueToIterator (cx=0x8341b20, flags=14, vp=0xf77b0188) at ../jsiter.cpp:776
#2  0x080df5d9 in Iterator (cx=0x8341b20, iterobj=0xf7502000, argc=1, argv=0xf77b0130, rval=0xf77b0188) at ../jsiter.cpp:693
#3  0x080dd473 in js::callJSNative (cx=0x8341b20, native=0x80df578 <Iterator>, thisobj=0xf7502000, argc=1, argv=0xf77b0130, rval=0xf77b0188) at ../jscntxtinlines.h:354
#4  0x080dc77c in InvokeCommon<JSBool (*)(JSContext*, JSObject*, uintN, js::Value*, js::Value*)> (cx=0x8341b20, fun=0xf75068b8, script=0x0, native=0x80df578 <Iterator>, args=..., flags=0)
    at ../jsinterp.cpp:625
#5  0x080d9e9a in js::Invoke (cx=0x8341b20, args=..., flags=0) at ../jsinterp.cpp:761
#6  0x0825990c in js::mjit::stubs::SlowCall (f=..., argc=1) at ../methodjit/InvokeHelpers.cpp:399
#7  0xf76a82de in ?? ()
#8  0x08212188 in js::mjit::JaegerShot (cx=0x8341b20) at ../methodjit/MethodJIT.cpp:696
#9  0x080d9892 in js::RunScript (cx=0x8341b20, script=0x8346fa0, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:466
#10 0x080da68b in js::Execute (cx=0x8341b20, chain=0xf7502000, script=0x8346fa0, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:954
#11 0x0806f9a4 in JS_ExecuteScript (cx=0x8341b20, obj=0xf7502000, script=0x8346fa0, rval=0xffffd200) at ../jsapi.cpp:4737
#12 0x0804c207 in Process (cx=0x8341b20, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#13 0x0804cd99 in ProcessArgs (cx=0x8341b20, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:861
#14 0x0805549d in shell (cx=0x8341b20, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5010
#15 0x080555b9 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5106
(gdb) x/i $eip
=> 0x8055adc <_ZNK8JSObject8getClassEv+6>:	mov    0x4(%eax),%eax
(gdb) x/b $eax
0x0:	Cannot access memory at address 0x0
This is almost certainly the same bug as 584651.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ JSObject::getClass] [@ js_ValueToIterator]
You need to log in before you can comment on or make changes to this bug.