Status: New
Owner: ----
New issue 298 by nth10sd: Crash [@ v8::internal::JSObject::LocalLookup] and
CHECK(holder != __null) failed
http://code.google.com/p/v8/issues/detail?id=298
a = function(){}
__defineSetter__("0", function(){})
if(a|= ''){}
this[a].__parent__
This crashes opt compiled with "scons mode=release library=static
snapshot=on sample=shell" at 0xffffffff at
v8::internal::JSObject::LocalLookup.
This asserts debug compiled with "scons mode=debug library=shared
snapshot=on sample=shell" at CHECK(holder != __null) failed
(Please acknowledge and attribute reporter's discovery of testcase)
=====
$ ./shell_g
V8 version 1.1.7 (candidate)
> a = function(){}
__defineSetter__("0", function(){})
if(a|= ''){}
this[a].__parent__function (){}
> [object global]
> >
#
# Fatal error in src/objects.cc, line 156
# CHECK(holder != __null) failed
#
==== Stack trace ============================================
Security context: 0x1c10a2d <JS Object>#0#
1: /* anonymous */(this=0x1c10a61 <JS Global Object>#1#)
==== Details ================================================
[1]: /* anonymous */(this=0x1c10a61 <JS Global Object>#1#) {
// stack-allocated locals
var .result = 0x1e00135 <undefined>
// expression stack (top to bottom)
[03] : 0x1e05ba5 <String[10]: __parent__>
[02] : 0x1c138b1 <FixedArray[2]>#2#
[01] : 0x1c138b1 <FixedArray[2]>#2#
--------- s o u r c e c o d e ---------
this[a].__parent__?
-----------------------------------------
}
==== Key ============================================
#0# 0x1c10a2d: 0x1c10a2d <JS Object>
a: 0
NaN: 0x1e02315 <Number: nan>
Math: 0x180ef0d <a MathConstructor>>#3#
Infinity: 0x1e0306d <Number: inf>
undefined: 0x1e00135 <undefined>
#1# 0x1c10a61: 0x1c10a61 <JS Global Object>
#2# 0x1c138b1: 0x1c138b1 <FixedArray[2]>
0: 0x1e00135 <undefined>
1: 0x1c13895 <JS Function>#4#
#3# 0x180ef0d: 0x180ef0d <a MathConstructor>>
E: 0x1e02989 <Number: 2.718281828459045>
PI: 0x1e02a09 <Number: 3.141592653589793>
LN2: 0x1e029b9 <Number: 0.6931471805599453>
LN10: 0x1e029a1 <Number: 2.302585092994046>
SQRT2: 0x1e02a41 <Number: 1.414213562373095>
LOG2E: 0x1e029d5 <Number: 1.442695040888963>
LOG10E: 0x1e029f1 <Number: 0.4342944819032518>
SQRT1_2: 0x1e02a25 <Number: 0.7071067811865476>
#4# 0x1c13895: 0x1c13895 <JS Function>
=====================
Abort trap
$ svn log | head
------------------------------------------------------------------------
r1677 | [email protected] | 2009-04-03 21:27:14 +0800 (Fri, 03 Apr 2009)
| 2 lines
Rewrite of VisitCountOperation that should speed it up
Review URL: http://codereview.chromium.org/56151
------------------------------------------------------------------------
r1676 | [email protected] | 2009-04-03 20:44:45 +0800 (Fri, 03 Apr 2009) | 3
lines
Quick pointer comparison, removed undetectable tests.
Special case for NaN in equality test.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
