Closed Bug 605015 Opened 14 years ago Closed 14 years ago

"Assertion failure: (this)->containsSlot(slot),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Patch
(deleted), patch
dvander
: review+
Details | Diff | Splinter Review
print(this.watch("x", function() { Object.defineProperty(this, "x", ({ get: (Int8Array) })) }))(x = /x/) asserts js debug shell on TM changeset 47a8311cf0bb without -m or -j at Assertion failure: (this)->containsSlot(slot),
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 54300:7ef107ab081e user: Brendan Eich date: Thu Sep 16 11:56:54 2010 -0700 summary: Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff).
Blocks: 596805
blocking2.0: ? → betaN+
Blocks: 611653
Blocks: 613619
Blocks: 614714
Stack trace for the assertion: #0 0xf7fdf430 in __kernel_vsyscall () #1 0xf7fb2610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #2 0x081bd385 in JS_Assert (s=0x831d5b0 "containsSlot(slot)", file=0x831d57b "../jsobj.h", ln=636) at ../jsutil.cpp:83 #3 0x08077499 in JSObject::nativeGetSlot (this=0xf7502028, slot=4294967295) at ../jsobj.h:636 #4 0x0812c9c6 in JSObject::methodWriteBarrier (this=0xf7502028, cx=0x8415cc8, shape=..., v=...) at ../jsobjinlines.h:193 #5 0x08124f0e in js_NativeSet (cx=0x8415cc8, obj=0xf7502028, shape=0x84231e0, added=false, vp=0xffffc5a8) at ../jsobj.cpp:4962 #6 0x08126859 in js_SetPropertyHelper (cx=0x8415cc8, obj=0xf7502028, id=..., defineHow=1, vp=0xffffc5a8, strict=0) at ../jsobj.cpp:5436 #7 0x082f233f in js::Interpret (cx=0x8415cc8, entryFrame=0xf77ab030, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at ../jsinterp.cpp:4445 #8 0x08100618 in js::RunScript (cx=0x8415cc8, script=0x842a300, fp=0xf77ab030) at ../jsinterp.cpp:657 #9 0x081017b9 in js::Execute (cx=0x8415cc8, chain=0xf7502028, script=0x842a300, prev=0x0, flags=0, result=0x0) at ../jsinterp.cpp:1005 #10 0x08073c02 in JS_ExecuteScript (cx=0x8415cc8, obj=0xf7502028, script=0x842a300, rval=0x0) at ../jsapi.cpp:4837 #11 0x0804c4ee in Process (cx=0x8415cc8, obj=0xf7502028, filename=0xffffd2c5 "a.js", forceTTY=0) at ../../shell/js.cpp:453 #12 0x0804d4d5 in ProcessArgs (cx=0x8415cc8, obj=0xf7502028, argv=0xffffd0c8, argc=1) at ../../shell/js.cpp:952 #13 0x08056a61 in Shell (cx=0x8415cc8, argc=1, argv=0xffffd0c8, envp=0xffffd0d0) at ../../shell/js.cpp:5370 #14 0x08056c3c in main (argc=1, argv=0xffffd0c8, envp=0xffffd0d0) at ../../shell/js.cpp:5478 containsSlot() fails because 'slot' is equal to 0xffffffff, ie. SHAPE_INVALID_SLOT.
Assignee: general → dmandelin
Attached patch Patch (deleted) — Splinter Review
Attachment #493887 - Flags: review?(dvander)
Attachment #493887 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/a77a648a6f4c
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/a77a648a6f4c
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Tardy nit: we usually use if (A && B) instead of if (A) if (B). No big deal, and I have a patch to use if (brandedOrHasMethodBarrier()) instead of the open-coded flag test equiv. that I'll get in for bug 597864. /be
No longer blocks: 611653
Blocks: 611653
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug605015.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: