Closed Bug 635598 Opened 14 years ago Closed 14 years ago

Assertion failure: &pobj->getSlot(shape->slot).toObject() == &shape->methodObject(), at jsobj.cpp:5699

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 561359
Tracking Flags:
Tracking Status
blocking2.0 --- .x+

People

(Reporter: decoder, Assigned: jorendorff)

References

Details

(Keywords: assertion, regression, testcase) 

The following code asserts on TM tip:

parseInt("08");
for (let methods = 0; methods < 2; ++methods) {
    obj = {m: function () { return this.x; }};
    obj.watch("m", function (id, oldval, newval) { methods[0] = oldval; });
    obj.m = 0;
}

Not blocking for now because it does not crash for me.
Might be related to bug 561359, or might not.
Different regression window from bug 561359 though..

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   32130:842e6c09e35a
user:        Brendan Eich
date:        Thu Sep 03 14:41:19 2009 -0700
summary:     Join lambdas assigned or initialized as methods to the compiler-created function object if we can, with a read barrier to clone on method value extractions other than call expressions (471214, r=jorendorff).

Nominating for .x
Blocks: 471214
blocking2.0: --- → ?
Keywords: regression
OS: Linux → All
Hardware: x86_64 → All
blocking2.0: ? → .x
Assignee: general → jorendorff
.watch isn't really involved.

var f;
for (let methods = 0; methods < 2; methods++) {
    var obj = {m: function () { return this.x; }};
    dumpObject(obj);  // shows the bug
    obj.m;  // asserts
    f = function (id, oldval, newval) { return methods; };
}

This is indeed a duplicate of bug 561359.

The test contains a JSOP_LAMBDA, JSOP_INITMETHOD sequence. As bug 561359 comment 9 says:

> The bug is that the method optimization depends on whether or not an enclosing
> Block happens to have been reified. That's not deterministic enough: for cache
> correctness, JSOP_LAMBDA must apply the method optimization based solely on
> criteria known at jsemit time and/or covered by the recipient object's shape.

This way of triggering the bug doesn't reveal any new worrying security issues, as far as I can tell, so it shouldn't block.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was already added in the original bug (bug 561359).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.