Closed Bug 547912 Opened 15 years ago Closed 15 years ago

"Assertion failure: HAS_FUNCTION_CLASS(JSVAL_TO_OBJECT(setterVal)), at ../jsscope.h"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: gal)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

patch
(deleted), patch
brendan
: review+
igor
: review+
Details | Diff | Splinter Review
try { (function() { __defineSetter__("x", /a/) })() } catch(e) {} for (y in x = x) { function() {} } asserts js debug shell without -j on TM tip at Assertion failure: HAS_FUNCTION_CLASS(JSVAL_TO_OBJECT(setterVal)), at ../jsscope.h:650
Occurs for me using TM changeset 65eeef03da7c: http://hg.mozilla.org/tracemonkey/rev/65eeef03da7c and still occurs in TM changeset c74d5d487a09. http://hg.mozilla.org/tracemonkey/rev/c74d5d487a09 Mac 10.6.2, 32-bit, debug shell.
I know. This one happens for me too. I meant the other bug.
Attached patch patch (obsolete) (deleted) — Splinter Review
Assignee: general → gal
autoBisect shows this is probably related to bug 547314: The first bad revision is: changeset: 38505:65eeef03da7c user: Andreas Gal date: Mon Feb 22 16:30:22 2010 -0800 summary: Introduce ObjectOps for typeOf and make trace a mandatory ObjectOp (547314, r=brendan). (In reply to comment #2) > I know. This one happens for me too. I meant the other bug. Working on that bug now (bug 547911).
Blocks: 547314
Attached patch patch (deleted) — Splinter Review
This patch removes locking in js_Callable(). We seem to already do isNative() all over the place unlocked. There is an early out for non-native objects. Once its native objects don't go non-native, and objops don't change. This should be pretty safe.
Attachment #428371 - Attachment is obsolete: true
Attachment #428373 - Flags: review?(mrbkap)
Attachment #428373 - Flags: review+
Comment on attachment 428373 [details] [diff] [review] patch > if (!isNative()) > return map->ops->call; > >+ return isFunction() || getClass()->call; Sorry I didn't catch this. The new-school way is to write it like this: > if (isNative()) > return isFunction() || getClass()->call; > > return map->ops->call; /be
Attachment #428373 - Flags: review?(mrbkap)
http://hg.mozilla.org/tracemonkey/rev/bff56127e35b
Whiteboard: fixed-in-tracemonkey
(In reply to comment #5) > We seem to already do isNative() all over the place unlocked. There is an early out for non-native objects. Once its native objects don't go non-native, and objops don't change. This should be pretty safe. isNative must be called outside the lock, http://hg.mozilla.org/tracemonkey/file/bff56127e35b/js/src/jslock.h#l150 isNative for non-native objects is safe because for them ops is immutable indeed. For native ones it is safe since any scope stored in OBJ_SCOPE(obj) is only destroyed during the GC.
Attachment #428373 - Flags: review+
I pushed a fix for a test in our test suite that was expecting setting a regexp as setter/getter to fail, which is no longer the case (regexps are callable objects). http://hg.mozilla.org/tracemonkey/rev/dca026286095
http://hg.mozilla.org/mozilla-central/rev/bff56127e35b
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: