Closed
Bug 635598
Opened 14 years ago
Closed 14 years ago
Assertion failure: &pobj->getSlot(shape->slot).toObject() == &shape->methodObject(), at jsobj.cpp:5699
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 561359
Tracking | Status | |
---|---|---|
blocking2.0 | --- | .x+ |
People
(Reporter: decoder, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase)
The following code asserts on TM tip: parseInt("08"); for (let methods = 0; methods < 2; ++methods) { obj = {m: function () { return this.x; }}; obj.watch("m", function (id, oldval, newval) { methods[0] = oldval; }); obj.m = 0; } Not blocking for now because it does not crash for me.
Comment 1•14 years ago
|
||
Might be related to bug 561359, or might not.
Comment 2•14 years ago
|
||
Different regression window from bug 561359 though.. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 32130:842e6c09e35a user: Brendan Eich date: Thu Sep 03 14:41:19 2009 -0700 summary: Join lambdas assigned or initialized as methods to the compiler-created function object if we can, with a read barrier to clone on method value extractions other than call expressions (471214, r=jorendorff). Nominating for .x
Updated•14 years ago
|
blocking2.0: ? → .x
Assignee | ||
Updated•14 years ago
|
Assignee: general → jorendorff
Assignee | ||
Comment 3•14 years ago
|
||
.watch isn't really involved. var f; for (let methods = 0; methods < 2; methods++) { var obj = {m: function () { return this.x; }}; dumpObject(obj); // shows the bug obj.m; // asserts f = function (id, oldval, newval) { return methods; }; } This is indeed a duplicate of bug 561359. The test contains a JSOP_LAMBDA, JSOP_INITMETHOD sequence. As bug 561359 comment 9 says: > The bug is that the method optimization depends on whether or not an enclosing > Block happens to have been reified. That's not deterministic enough: for cache > correctness, JSOP_LAMBDA must apply the method optimization based solely on > criteria known at jsemit time and/or covered by the recipient object's shape. This way of triggering the bug doesn't reveal any new worrying security issues, as far as I can tell, so it shouldn't block.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 4•12 years ago
|
||
A testcase for this bug was already added in the original bug (bug 561359).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•