[v8-dev] Re: Issue 966 in v8: v8 Build error in FreeBSD 8.1

Mon, 07 Mar 2011 22:58:15 -0800
Comment #13 on issue 966 by [email protected]: v8 Build error in FreeBSD 8.1 
http://code.google.com/p/v8/issues/detail?id=966
So I've been looking into this bug recently and the stacktrace is always the same with a debug build of v8: 

 ./shell_g --enable-slow-asserts --debug-code --verify-heap -e'print "foo"'
abort: Operand is not a smi

==== Stack trace ============================================

Security context: 0x8009aab89 <JS Object>#0#
1: new Number(this=0x80201e409 <a Number> value = 0x8009ea089 <undefined>>#1#,a=0) 3: /* anonymous */ [native v8natives.js:994] (this=0x8009abb19 <JS Object>#2#) 

==== Details ================================================
[1]: new Number(this=0x80201e409 <a Number> value = 0x8009ea089 <undefined>>#1#,a=0) { 
  // stack-allocated locals
  var b = 0x8009ea089 <undefined>
  // expression stack (top to bottom)
  [03] : 1
  [02] : 0

  [01] : 32767
--------- s o u r c e   c o d e ---------
<No Source>
-----------------------------------------
}
[3]: /* anonymous */ [native v8natives.js:994] (this=0x8009abb19 <JS Object>#2#) { 
  // stack-allocated locals
  var .result = 0x8009ea089 <undefined>
  // expression stack (top to bottom)
  [03] : 0
  [02] : 0x8009aaef1 <JS Function Number>#3#
  [01] : 0x8009aaef1 <JS Function Number>#3#
--------- s o u r c e   c o d e ---------
????????????????????????????????????????const $isNaN=GlobalIsNaN;?const $isFinite=GlobalIsFinite;???????function InstallFunctions(a,b,c){?if(c.length>=8){?%OptimizeObjectForAddingMultipleProperties(a,c.length>>1);?}?for(var d=0;d<c.length;d+=2){?var e=c[d];?var f=c[d+1];?%FunctionSetName(f,e);?%Func... 

-----------------------------------------
}

==== Key         ============================================

 #0# 0x8009aab89: 0x8009aab89 <JS Object>
 #1# 0x80201e409: 0x80201e409 <a Number> value = 0x8009ea089 <undefined>>
           value(): 0x8009ea089 <undefined>
 #2# 0x8009abb19: 0x8009abb19 <JS Object>
 #3# 0x8009aaef1: 0x8009aaef1 <JS Function Number>
=====================

Abort (core dumped)
It always chokes on this line in v8natives.js, going back to the v8 3.0 patch 5922. Because this is built-in javascript code, v8 3.0 fails on any input, including empty input. Since v8natives.js wasn't modified with v8 3.0, this function is just triggering a x64 bug elsewhere in that patch, but I thought I'd point this out in case it helps anyone figure out what's going on. 

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to