Closed
Bug 1276382
Opened 8 years ago
Closed 8 years ago
Assertion failure: getSlotRef(THROWTYPEERROR).isUndefined(), at js/src/vm/GlobalObject.h:152
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1219128
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | affected |
People
(Reporter: gkw, Assigned: jorendorff)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision a41a34f7d936 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
x = evalcx('lazy');
oomTest(function() {
x.eval
});
Backtrace:
0 js-dbg-64-dm-clang-darwin-a41a34f7d936 0x000000010b9fa96b CreateFunctionPrototype(JSContext*, JSProtoKey) + 2203 (GlobalObject.h:152)
1 js-dbg-64-dm-clang-darwin-a41a34f7d936 0x000000010bb759a1 js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 753 (RootingAPI.h:685)
2 js-dbg-64-dm-clang-darwin-a41a34f7d936 0x000000010bb756a4 js::GlobalObject::ensureConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 52 (GlobalObject.cpp:126)
3 js-dbg-64-dm-clang-darwin-a41a34f7d936 0x000000010bae5bec CreateObjectConstructor(JSContext*, JSProtoKey) + 92 (Object.cpp:1146)
4 js-dbg-64-dm-clang-darwin-a41a34f7d936 0x000000010bb75a48 js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) + 920 (RootingAPI.h:668)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
The bisection window isn't as useful here (it points to the landing of oomTest), so setting needinfo? from Jason and Waldo as a start.
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(jorendorff)
|
Assignee | |
Comment 3•8 years ago
|
||
Pretty sure this is a dup. Looking at it now.
|
|
Assignee | |
Comment 4•8 years ago
|
||
I don't think a bug is on file for this, but it's a known issue where initialization of Object.prototype and Function.prototype got screwed up, when PlainObject X-rays went in, such that global objects end up partly-initialized if OOM happens at just the wrong time. I'm already on the hook to fix it, so taking this.
Assignee: nobody → jorendorff
Flags: needinfo?(jorendorff)
|
|
Reporter | |
Comment 5•8 years ago
|
||
Maybe bug 1219128?
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jwalden+bmo)
Resolution: --- → DUPLICATE
|
||
Updated•2 years ago
|
Severity: critical → S4
You need to log in
before you can comment on or make changes to this bug.
Description
•