Closed
Bug 633752
Opened 13 years ago
Closed 13 years ago
TM: Assertion failure: (frameobj == NULL) == (*mTypeMap == JSVAL_TYPE_NULL), at ../jstracer.cpp:3174
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | - |
People
(Reporter: jandem, Assigned: dvander)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:low][fixed-in-tracemonkey])
Attachments
(2 files)
2.66 KB,
text/plain
|
Details | |
2.08 KB,
patch
|
cdleary
:
review+
dmandelin
:
approval2.0+
|
Details | Diff | Splinter Review |
--- function f(o) { var p = "arguments"; for(var i=0; i<10; i++) { f[p]; } } f({}); f({}); f({}); f({}); --- This asserts with -j -m -a: Assertion failure: (frameobj == NULL) == (*mTypeMap == JSVAL_TYPE_NULL), at ../jstracer.cpp:3174 The patch in bug 632901 does not fix this; does not assert without -m.
Reporter | ||
Comment 1•13 years ago
|
||
Reporter | ||
Comment 2•13 years ago
|
||
Also asserts with -j -m at revision bf89669b34cb, before bug 631951 landed. So this is not a regression from bug 631951.
Reporter | ||
Comment 3•13 years ago
|
||
The first bad revision is: changeset: 55725:339457364540 user: Bill McCloskey <wmccloskey@mozilla.com> date: Thu Oct 21 09:36:39 2010 -0700 summary: Bug 580468 - Use loop profiling to decide whether to use TM or JM (second try) (r=dmandelin) This may be a red herring though.
Reporter | ||
Comment 4•13 years ago
|
||
FWIW: (gdb) p frameobj $1 = (JSObject *) 0x0 (gdb) p *mTypeMap $2 = JSVAL_TYPE_NONFUNOBJ
Reporter | ||
Updated•13 years ago
|
Keywords: regression
Comment 5•13 years ago
|
||
(In reply to comment #3) > The first bad revision is: > changeset: 55725:339457364540 > user: Bill McCloskey <wmccloskey@mozilla.com> > date: Thu Oct 21 09:36:39 2010 -0700 > summary: Bug 580468 - Use loop profiling to decide whether to use TM or JM > (second try) (r=dmandelin) > > This may be a red herring though. Yeah, sounds like that changed exposed a latent bug.
Reporter | ||
Comment 6•13 years ago
|
||
OK, this *does* assert without -m (see bug 633929)
I thought NULL was a legal value for JSVAL_TYPE_NONFUNOBJ? -ing on that assumption (meaning incorrect assertion).
blocking2.0: ? → -
Assignee | ||
Comment 8•13 years ago
|
||
It's not, but it shouldn't block anyway. Looks like Another Arguments Bug, should be easy to fix.
Assignee | ||
Comment 9•13 years ago
|
||
We're missing a deep bail by caching the result of a non-default getter. Low-risk patch.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #512221 -
Flags: review?(cdleary)
Attachment #512221 -
Flags: approval2.0?
Updated•13 years ago
|
Attachment #512221 -
Flags: review?(cdleary) → review+
Updated•13 years ago
|
Attachment #512221 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Updated•13 years ago
|
Whiteboard: sg:low
Assignee | ||
Comment 10•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/34c05b9c0079
Whiteboard: sg:low → [sg:low][fixed-in-tracemonkey]
Comment 11•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/34c05b9c0079
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•