Closed Bug 582286 Opened 14 years ago Closed 14 years ago

JM: "Assertion failure: globalObj->scope()->freeslot == globalScope.globalFreeSlot,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

evalcx("function s(){}",evalcx('lazy')) asserts js debug shell on JM changeset e0988eae6c08 without -m or -j at Assertion failure: globalObj->scope()->freeslot == globalScope.globalFreeSlot, at ../jsparse.cpp:940 This doesn't seem to occur on TM tip.
The bug here is that the parser creates new properties on the global object, which our name-prediction optimizations cannot handle. #7 0x080c3038 in js_DefineFunction (cx=0x833bcf0, obj=0xf7502120, atom=0xf7500680, native=0x80ed0da <obj_eval>, nargs=1, attrs=2048) at ../jsfun.cpp:2610 #8 0x080f39f2 in js_InitObjectClass (cx=0x833bcf0, obj=0xf7502120) at ../jsobj.cpp:3249 #9 0x08067a27 in js_InitFunctionAndObjectClasses (cx=0x833bcf0, obj=0xf7502120) at ../jsapi.cpp:1278 #10 0x080f4a2c in js_GetClassObject (cx=0x833bcf0, obj=0xf7502120, key=JSProto_Function, objp=0xffffc4d4) at ../jsobj.cpp:3696 #11 0x080f4cd4 in js_FindClassObject (cx=0x833bcf0, start=0x0, protoKey=JSProto_Function, vp=0xffffc510, clasp=0x82db120) at ../jsobj.cpp:3761 #12 0x080f9252 in js::FindClassPrototype (cx=0x833bcf0, scope=0xf7502120, protoKey=JSProto_Function, protop=0xffffc5b8, clasp=0x82db120) at ../jsobj.cpp:5535 #13 0x080f944a in js_GetClassPrototype (cx=0x833bcf0, scope=0xf7502120, protoKey=JSProto_Function, protop=0xffffc5b8, clasp=0x82db120) at ../jsobj.cpp:5582 #14 0x080bc14a in NewObject (cx=0x833bcf0, clasp=0x82db120, proto=0x0, parent=0xf7502120) at ../jsobjinlines.h:710 #15 0x080c29ce in js_NewFunction (cx=0x833bcf0, funobj=0x0, native=0, nargs=0, flags=16384, parent=0xf7502120, atom=0x82ddd80) at ../jsfun.cpp:2454 #16 0x0811e3ef in js::Parser::newFunction (this=0xffffcbac, tc=0xffffc98c, atom=0x82ddd80, lambda=0) at ../jsparse.cpp:1756
Oh yeah, IIRC we talked about forcing Function to be resolved before compiling anything. Would that do it? (That would resolve Object too, of course.) /be
Brendan, is the right idea to call js_GetClassPrototype w/ JSProto_Function? If so, I'll post a patch and r? you.
Yeah, that should do it -- test and it'll be an rs+ from me. /be
Thanks - worked! http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/823b1c58a0ed
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug582286.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.