Status: New
Owner: ----
New issue 392 by [email protected]: Crash [@
v8::internal::JSObject::LocalLookup] and CHECK(object->IsString() ||
object->IsNumber() || object->IsBoolean()) failed
http://code.google.com/p/v8/issues/detail?id=392
(function(){arguments++})()
This crashes opt compiled with "scons mode=release library=static
snapshot=on sample=shell" at 0xffffffff at
v8::internal::JSObject::LocalLookup.
This asserts debug compiled with "scons mode=debug library=shared
snapshot=on sample=shell" at CHECK(object->IsString() || object->IsNumber()
|| object->IsBoolean()) failed
(Please acknowledge and attribute reporter's discovery of testcase)
===
$ ./shell_g
V8 version 1.2.10 (candidate)
> (function(){arguments++})()
#
# Fatal error in src/ic-inl.h, line 86
# CHECK(object->IsString() || object->IsNumber() || object->IsBoolean())
failed
#
==== Stack trace ============================================
Security context: 0x3011fb1 <JS Object>#0#
1: DefaultNumber(this=0x3012279 <JS Object>#1#,x=0x340019d <the hole>)
2: ToNumber(this=0x3012279 <JS Object>#1#,x=0x340019d <the hole>)
3: TO_NUMBER(aka TO_NUMBER)(this=0x340019d <the hole>)
4: /* anonymous */(this=0x3011fe5 <JS Global Object>#2#)
5: /* anonymous */(this=0x3011fe5 <JS Global Object>#2#)
==== Details ================================================
[1]: DefaultNumber(this=0x3012279 <JS Object>#1#,x=0x340019d <the hole>) {
// stack-allocated locals
var v = 0x3400135 <undefined>
var s = 0x3400135 <undefined>
// expression stack (top to bottom)
[04] : 0x3403ae1 <String[7]: valueOf>
[03] : 0x340019d <the hole>
[02] : 0x340019d <the hole>
--------- s o u r c e c o d e ---------
function DefaultNumber(x) {? if ((typeof(x.valueOf) === 'function')) {?
var v = x.valueOf();? if (%IsPrimitive(v)) return v;? }? if
((typeof(x.toString) === 'function')) {? var s = x.toString();? if
(%IsPrimitive(s)) return s;? }? throw
%MakeTypeError('cannot_convert_to_primitive', []);?}
-----------------------------------------
}
[2]: ToNumber(this=0x3012279 <JS Object>#1#,x=0x340019d <the hole>) {
// expression stack (top to bottom)
[02] : 0x3404a01 <String[13]: DefaultNumber>
[01] : 0x3012279 <JS Object>#1#
[00] : 0x34001c9 <String[8]: ToNumber>
--------- s o u r c e c o d e ---------
function ToNumber(x) {? if ((typeof(x) === 'number')) return x;? if
((typeof(x) === 'string')) return %StringToNumber(x);? if ((typeof(x) ===
'boolean')) return x ? 1 : 0;? if ((typeof(x) === 'undefined')) return
$NaN;? return ((x === null)) ? 0 : ToNumber(%DefaultNumber(x));?}
-----------------------------------------
}
[3]: TO_NUMBER(aka TO_NUMBER)(this=0x340019d <the hole>) {
// expression stack (top to bottom)
[00] : 0x34001c9 <String[8]: ToNumber>
--------- s o u r c e c o d e ---------
function TO_NUMBER() {? return %ToNumber(this);?}
-----------------------------------------
}
[4]: /* anonymous */(this=0x3011fe5 <JS Global Object>#2#) {
// stack-allocated locals
var .arguments = 0x3400135 <undefined>
var arguments = 0x3400135 <undefined>
--------- s o u r c e c o d e ---------
function (){arguments++}
-----------------------------------------
}
[5]: /* anonymous */(this=0x3011fe5 <JS Global Object>#2#) {
// stack-allocated locals
var .result = 0x3400135 <undefined>
// expression stack (top to bottom)
[01] : 0x3014761 <JS Function>#3#
--------- s o u r c e c o d e ---------
(function(){arguments++})()?
-----------------------------------------
}
==== Key ============================================
#0# 0x3011fb1: 0x3011fb1 <JS Object>
NaN: 0x3404529 <Number: nan>
JSON: 0x30121e1 <JS Object>#4#
Math: 0x200f301 <a MathConstructor>>#5#
Infinity: 0x3405321 <Number: inf>
undefined: 0x3400135 <undefined>
#1# 0x3012279: 0x3012279 <JS Object>
$NaN: 0x3404529 <Number: nan>
$Math: 0x200f301 <a MathConstructor>>#5#
global: 0x3011fb1 <JS Object>#0#
kMessages: 0x2014619 <an Object>>#6#
$Infinity: 0x3405321 <Number: inf>
hexCharArray: 0x200c6a5 <JS array[16]>#7#
kVowelSounds: 0x2012fad <an Object>>#8#
functionCache: 0x201d809 <an Object>>#9#
visited_arrays: 0x200584d <JS array[0]>#10#
kLineLengthLimit: 78
hexCharCodeArray: 0x200c755 <JS array[16]>#11#
kApiFunctionCache: 0x201d809 <an Object>>#9#
reusableMatchInfo: 0x20080b9 <JS array[5]>#12#
kCapitalVowelSounds: 0x2013445 <an Object>>#13#
kStackOverflowBoilerplate: 0x201b141 <a RangeError>>#14#
kAddMessageAccessorsMarker: 0x2014b99 <an Object>>#15#
#2# 0x3011fe5: 0x3011fe5 <JS Global Object>
#3# 0x3014761: 0x3014761 <JS Function>
#4# 0x30121e1: 0x30121e1 <JS Object>
#5# 0x200f301: 0x200f301 <a MathConstructor>>
E: 0x3404bad <Number: 2.718281828459045>
PI: 0x3404c2d <Number: 3.141592653589793>
LN2: 0x3404bdd <Number: 0.6931471805599453>
LN10: 0x3404bc5 <Number: 2.302585092994046>
SQRT2: 0x3404c65 <Number: 1.414213562373095>
LOG2E: 0x3404bf9 <Number: 1.442695040888963>
LOG10E: 0x3404c15 <Number: 0.4342944819032518>
SQRT1_2: 0x3404c49 <Number: 0.7071067811865476>
#6# 0x2014619: 0x2014619 <an Object>>
pcre_error: 0x3407539 <String[31]: PCRE function %0, error code %1>
not_defined: 0x3406ca5 <String[17]: %0 is not defined>
stack_trace: 0x3407389 <String[15]\: Stack Trace:\n%0>
cyclic_proto: 0x34072cd <String[22]: Cyclic __proto__ value>
regexp_flags: 0x3407285 <String[61]: Cannot supply flags when
constructing one RegExp from another>
illegal_eval: 0x3407361 <String[32]: Unsupported indirect eval() call>
invalid_json: 0x3406bb9 <String[29]: String '%0' is not valid JSON>
illegal_break: 0x3407485 <String[23]: Illegal break statement>
unknown_label: 0x34071ed <String[20]: Undefined label '%0'>
redeclaration: 0x3406be1 <String[33]: %0 '%1' has already been
declared>
invalid_break: 0x3406d61 <String[23]: Invalid break statement>
invalid_regexp: 0x3406e11 <String[27]: Invalid RegExp pattern /%0/>
expected_label: 0x3406ee5 <String[14]: Expected label>
stack_overflow: 0x3406dd1 <String[32]: Maximum call stack size exceeded>
null_to_object: 0x3406efd <String[29]: Cannot convert null to object>
apply_overflow: 0x34074d5 <String[52]: Function.prototype.apply cannot
support %0 arguments>
illegal_return: 0x3406db1 <String[24]: Illegal return statement>
unexpected_eos: 0x34073e5 <String[23]: Unexpected end of input>
with_expression: 0x3406f25 <String[20]: %0 has no properties>
not_constructor: 0x3406fa5 <String[23]: %0 is not a constructor>
unable_to_parse: 0x3406f6d <String[11]: Parse error>
apply_wrong_args: 0x34070d1 <String[55]: Function.prototype.apply:
Arguments list has wrong type>
unexpected_token: 0x3407429 <String[19]: Unexpected token %0>
invalid_continue: 0x3406c0d <String[26]: Invalid continue statement>
malformed_regexp: 0x3407025 <String[36]: Invalid regular expression:
/%0/: %1>
undefined_method: 0x3406ec1 <String[28]: Object %1 has no method '%0'>
illegal_continue: 0x3407405 <String[26]: Illegal continue statement>
null_or_undefined: 0x3406e8d <String[43]: Cannot access property of null
or undefined>
reduce_no_initial: 0x340732d <String[43]: Reduce of empty array with no
initial value>
no_input_to_regexp: 0x3406df9 <String[14]: No input to %0>
uncaught_exception: 0x3407079 <String[11]: Uncaught %0>
illegal_invocation: 0x3406cc1 <String[18]: Illegal invocation>
apply_non_function: 0x3406cdd <String[75]: Function.prototype.apply was
called on %0, which is a %1 and not a function>
circular_structure: 0x3406c75 <String[37]: Converting circular structure to
JSON>
newline_after_throw: 0x3407461 <String[27]: Illegal newline after throw>
unterminated_regexp: 0x34074a5 <String[37]: Invalid regular expression:
missing />
called_non_callable: 0x3407209 <String[20]: %0 is not a function>
no_catch_or_finally: 0x3407111 <String[34]: Missing catch or finally after
try>
result_not_primitive: 0x3406d81 <String[40]: Result of %0 must be a
primitive, was %1>
invalid_array_length: 0x3406e35 <String[20]: Invalid array length>
property_not_function: 0x340713d <String[44]: Property '%0' of object %1 is
not a function>
no_setter_in_callback: 0x3406e51 <String[52]: Cannot set property %0 of %1
which has only a getter>
invalid_lhs_in_for_in: 0x34070a9 <String[32]: Invalid left-hand side in
for-in>
duplicate_regexp_flag: 0x3407171 <String[24]: Duplicate RegExp flag %0>
error_loading_debugger: 0x3406f81 <String[25]: Error loading debugger %0>
unexpected_token_number: 0x340708d <String[17]: Unexpected number>
invalid_in_operator_use: 0x34071b1 <String[49]: Cannot use 'in' operator to
search for '%0' in %1>
unexpected_token_string: 0x3407445 <String[17]: Unexpected string>
invalid_lhs_in_prefix_op: 0x3406b79 <String[53]: Invalid left-hand side
expression in prefix operation>
unrecognized_regexp_flag: 0x3407261 <String[27]: Unrecognized RegExp
flag %0>
non_object_property_load: 0x3406ffd <String[31]: Cannot read property '%0'
of %1>
non_object_property_call: 0x3407511 <String[29]: Cannot call method '%0'
of %1>
invalid_lhs_in_assignment: 0x3406f41 <String[36]: Invalid left-hand side in
assignment>
non_object_property_store: 0x3407051 <String[30]: Cannot set property '%0'
of %1>
invalid_lhs_in_postfix_op: 0x34072ed <String[54]: Invalid left-hand side
expression in postfix operation>
instanceof_nonobject_proto: 0x3406c31 <String[58]: Function has non-object
prototype '%0' in instanceof check>
invalid_array_apply_length: 0x34073a1 <String[59]: Function.prototype.apply
supports only up to 1024 arguments>
cannot_convert_to_primitive: 0x3406d31 <String[40]: Cannot convert object
to primitive value>
multiple_defaults_in_switch: 0x3406fc5 <String[48]: More than one default
clause in switch statement>
unexpected_token_identifier: 0x3407191 <String[21]: Unexpected identifier>
instanceof_function_expected: 0x3407225 <String[52]: Expecting a function
in instanceof check, but got %0>
#7# 0x200c6a5: 0x200c6a5 <JS array[16]>
0: 0x3403d41 <String[1]: 0>
1: 0x340657d <String[1]: 1>
2: 0x3406589 <String[1]: 2>
3: 0x3406595 <String[1]: 3>
4: 0x34065a1 <String[1]: 4>
5: 0x34065ad <String[1]: 5>
6: 0x34065b9 <String[1]: 6>
7: 0x34065c5 <String[1]: 7>
8: 0x34065d1 <String[1]: 8>
9: 0x34065dd <String[1]: 9>
...
#8# 0x2012fad: 0x2012fad <an Object>>
e: 0x3400161 <true>
a: 0x3400161 <true>
u: 0x3400161 <true>
o: 0x3400161 <true>
y: 0x3400161 <true>
i: 0x3400161 <true>
#9# 0x201d809: 0x201d809 <an Object>>
#10# 0x200584d: 0x200584d <JS array[0]>
#11# 0x200c755: 0x200c755 <JS array[16]>
0: 48
1: 49
2: 50
3: 51
4: 52
5: 53
6: 54
7: 55
8: 56
9: 57
...
#12# 0x20080b9: 0x20080b9 <JS array[5]>
0: 2
1: 0x34001d9 <String[0]: >
2: 0x34001d9 <String[0]: >
3: -1
4: -1
#13# 0x2013445: 0x2013445 <an Object>>
r: 0x3400161 <true>
x: 0x3400161 <true>
h: 0x3400161 <true>
f: 0x3400161 <true>
l: 0x3400161 <true>
e: 0x3400161 <true>
a: 0x3400161 <true>
u: 0x3400161 <true>
o: 0x3400161 <true>
n: 0x3400161 <true>
y: 0x3400161 <true>
s: 0x3400161 <true>
i: 0x3400161 <true>
m: 0x3400161 <true>
#14# 0x201b141: 0x201b141 <a RangeError>>
#15# 0x2014b99: 0x2014b99 <an Object>>
=====================
Abort trap
$ svn log | head
------------------------------------------------------------------------
r2284 | [email protected] | 2009-06-26 21:52:05 +0800 (Fri, 26 Jun 2009)
| 2 lines
X64 implementation: Store to lookup slots
Review URL: http://codereview.chromium.org/147203
------------------------------------------------------------------------
r2283 | [email protected] | 2009-06-26 21:09:50 +0800 (Fri, 26 Jun 2009) | 4
lines
- Inlined the code for make simple cons strings.
- Simplify generated code for Runtime_** functions.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---
