Closed
Bug 560998
Opened 15 years ago
Closed 15 years ago
Assertion failure: entry->vword.toObject() == JSVAL_TO_OBJECT(v)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: jruderman, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
(deleted),
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
for (let j = 0; j < 4; ++j) { function g() { j; } g(); } Assertion failure: entry->vword.toObject() == JSVAL_TO_OBJECT(v), at ../jsinterp.cpp:2184 Crashes when using just the interpreter, no -j or -m! TM branch rev 5b05b75cd402. I discovered this using a new technique (not jsfunfuzz).
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 471214: The first bad revision is: changeset: 32130:842e6c09e35a user: Brendan Eich date: Thu Sep 03 14:41:19 2009 -0700 summary: Join lambdas assigned or initialized as methods to the compiler-created function object if we can, with a read barrier to clone on method value extractions other than call expressions (471214, r=jorendorff).
Blocks: 471214
Keywords: regression
Comment 2•15 years ago
|
||
fwiw, bug 471214 was not landed on 1.9.2 so this should not affect Firefox 3.6.x and before.
Comment 3•15 years ago
|
||
This bug along with bug 560101 are being hit somewhat frequently by jsfunfuzz, especially after jsfunfuzz was improved to hit this bug. :)
blocking2.0: --- → ?
Assignee | ||
Comment 4•15 years ago
|
||
The second time through the loop, the global is already branded, and JSOP_DEFFUN ends up in js_DefineNativeProperty to change the value of g, a function-valued global property. This should change the global shape, but it doesn't.
Assignee | ||
Updated•15 years ago
|
Assignee: general → jorendorff
Assignee | ||
Comment 5•15 years ago
|
||
The fix is in the first hunk. The rest is tidying up and tests.
Attachment #442548 -
Flags: review?(brendan)
Comment 6•15 years ago
|
||
Comment on attachment 442548 [details] [diff] [review] v1 I had plans for toval; no worries, it can come back if needed. /be
Attachment #442548 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/539d04cccb8b I have to admit this "new technique" sounds ominous.
Whiteboard: fixed-in-tracemonkey
Comment 8•15 years ago
|
||
Yeah, don't tease, Jesse. We're all expecting a new, fully operational, space-squid-obvious, Death Star. IT'S A TRAP!! /be
Comment 9•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/539d04cccb8b
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
Comment 10•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-560998-1.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•