Closed
Bug 578041
Opened 14 years ago
Closed 14 years ago
JM: "Assertion failure: IsSaneThisObject(argv[-1].toObject()),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: cdleary)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
(deleted),
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
__defineGetter__("x",Float32Array) with(this)x asserts at Assertion failure: IsSaneThisObject(argv[-1].toObject()), at ../jsinterp.cpp:306 on moo tip changeset 60c111fc0d4b without -m. Tested only on 64-bit Ubuntu 10.04. Program received signal SIGABRT, Aborted. 0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 42 ../nptl/sysdeps/unix/sysv/linux/pt-raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/pt-raise.c (gdb) bt #0 0x00007ffff7bce7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #1 0x000000000053e000 in JS_Assert (s=0x5937c8 "IsSaneThisObject(argv[-1].toObject())", file=0x593698 "../jsinterp.cpp", ln=306) at ../jsutil.cpp:80 #2 0x0000000000495888 in js::ComputeThisFromArgv (cx=0x82a1a0, argv=0x7ffff6a8a1f8) at ../jsinterp.cpp:306 #3 0x0000000000439786 in js::ComputeThisFromVp (cx=0x82a1a0, vp=0x7ffff6a8a1e8) at ../jsinterp.h:284 #4 0x000000000049608b in js::Invoke (cx=0x82a1a0, args=..., flags=0) at ../jsinterp.cpp:715 #5 0x0000000000496343 in js::InternalInvoke (cx=0x82a1a0, thisv=..., fval=..., flags=0, argc=0, argv=0x0, rval=0x7fffffffd590) at ../jsinterp.cpp:771 #6 0x0000000000494989 in InternalCall (cx=0x82a1a0, obj=0x7ffff6901480, fval=..., argc=0, argv=0x0, rval=0x7fffffffd590) at ../jsinterp.h:349 #7 0x0000000000496418 in js::InternalGetOrSet (cx=0x82a1a0, obj=0x7ffff6901480, id=..., fval=..., mode=JSACC_READ, argc=0, argv=0x0, rval=0x7fffffffd590) at ../jsinterp.cpp:799 #8 0x00000000004bbdca in JSScopeProperty::get (this=0x82ee58, cx=0x82a1a0, obj=0x7ffff6901480, pobj=0x7ffff6901000, vp=0x7fffffffd590) at ../jsscopeinlines.h:281 #9 0x00000000004b5c7a in js_NativeGet (cx=0x82a1a0, obj=0x7ffff6901480, pobj=0x7ffff6901000, sprop=0x82ee58, getHow=0, vp=0x7fffffffd590) at ../jsobj.cpp:4747 #10 0x00000000005720f0 in js::Interpret (cx=0x82a1a0) at ../jsops.cpp:2475 #11 0x0000000000495ce4 in js::RunScript (cx=0x82a1a0, script=0x831740, fun=0x0, scopeChain=0x7ffff6901000) at ../jsinterp.cpp:462 #12 0x0000000000496a96 in js::Execute (cx=0x82a1a0, chain=0x7ffff6901000, script=0x831740, down=0x0, flags=0, result=0x7fffffffe030) at ../jsinterp.cpp:923 #13 0x0000000000428656 in JS_ExecuteScript (cx=0x82a1a0, obj=0x7ffff6901000, script=0x831740, rval=0x7fffffffe030) at ../jsapi.cpp:4637 #14 0x0000000000404d14 in Process (cx=0x82a1a0, obj=0x7ffff6901000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533 #15 0x000000000040572a in ProcessArgs (cx=0x82a1a0, obj=0x7ffff6901000, argv=0x7fffffffe2d0, argc=0) at ../../shell/js.cpp:860 #16 0x000000000040dadd in shell (cx=0x82a1a0, argc=0, argv=0x7fffffffe2d0, envp=0x7fffffffe2d8) at ../../shell/js.cpp:5038 #17 0x000000000040dbed in main (argc=0, argv=0x7fffffffe2d0, envp=0x7fffffffe2d8) at ../../shell/js.cpp:5129
Assignee | ||
Comment 1•14 years ago
|
||
Need to do the same resolution on prop$ miss that we do with JSOP_CALLNAME in JSOP_NAME.
Assignee: general → cdleary
Status: NEW → ASSIGNED
![]() |
Reporter | |
Comment 2•14 years ago
|
||
Seems to be fatval-related. (and not to JM/moo)
No longer blocks: JaegerFuzz
Summary: JM: "Assertion failure: IsSaneThisObject(argv[-1].toObject())," → FV: "Assertion failure: IsSaneThisObject(argv[-1].toObject()),"
Assignee | ||
Comment 3•14 years ago
|
||
(In reply to comment #2) > Seems to be fatval-related. (and not to JM/moo) Gary, I'm not sure what you mean -- IsSaneThisObject was added with the eager-|this| patch in bug 574697, which only landed on JM/moo so far as I know. Where does the fatval branch live nowadays?
![]() |
Reporter | |
Comment 4•14 years ago
|
||
(In reply to comment #3) > (In reply to comment #2) > > Seems to be fatval-related. (and not to JM/moo) > > Gary, I'm not sure what you mean -- IsSaneThisObject was added with the > eager-|this| patch in bug 574697, which only landed on JM/moo so far as I know. > Where does the fatval branch live nowadays? You're right - I got myself confused with some of the other bugs. The fatval branch is at http://hg.mozilla.org/users/lwagner_mozilla.com/fatval/
Blocks: JaegerFuzz
Summary: FV: "Assertion failure: IsSaneThisObject(argv[-1].toObject())," → JM: "Assertion failure: IsSaneThisObject(argv[-1].toObject()),"
![]() |
||
Comment 5•14 years ago
|
||
I am unable to reproduce this on fatval tip on 32-bit debug linux or 64-bit debug os x.
Assignee | ||
Comment 6•14 years ago
|
||
Call the thisObject hook when a js_WithClass object is encountered with a getter sprop on it.
Attachment #462307 -
Flags: review?(jorendorff)
Comment 7•14 years ago
|
||
I hit this on moo branch but not on tm branch.
Comment 8•14 years ago
|
||
Comment on attachment 462307 [details] [diff] [review] Normalize with object on getter sprops. See jsscopeinlines.h, JSScopeProperty::get and JSScopeProperty::set -- you need to unwrap With objects for PropertyOp getters and setters too (not sure setters are an issue with the method jit). The sprop->hasGetterValue() test means you are covering only user-defined getters here. In jsscopeinlines.h the user-defined cases flow down through InternalGetOrSet -> InternalCall (luke is fixing these names) and general |this| normalizing code takes care of With. /be
Comment 9•14 years ago
|
||
Comment on attachment 462307 [details] [diff] [review] Normalize with object on getter sprops. Right, this needs at least !sprop->hasDefaultGetter() instead of sprop->hasGetterValue(). r=me with that change. I don't think there's any issue with setters; JSOP_SETNAME checks for obj->getOps()->setProperty and calls it.
Attachment #462307 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/b0fcf1ff31ed
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 11•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug578041.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•