Closed Bug 655508 Opened 13 years ago Closed 13 years ago

TI+JM: Assertion failure: obj, at jsval.h:514

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

Attachments

(1 file)

Testcase
381 bytes, application/x-javascript
Details
Attached file Testcase 
$ ./js -n -m -a test.js
Assertion failure: obj, at jsval.h:514

Revision e09e209d988e, 32-bit OS X.
This issue is 32 bit only.

I reduced the testcase only slightly:

for (var i = 0;;) switch (3) {
case
    function () {
        var x;
        (function () {})() && false;
        x = undefined;
        try {
            JSON.parse(x)
        } catch (e) {}
    }([]):
case
    function () {
        [typeof loopa1]
    }(0):
}
Hardware: All → x86
Funny issue, for local variables with no use-before-def we don't write an undefined value but mark the local as synced at script entry (so we don't try to write the value out later; in any case that initial value won't be observed).  The problem is that if the variable is then written with a value known to be undefined (which could be subsequently observed), we see that the old type is also undefined and decide the new type doesn't need to be written out, ending up with the torn value seen here.  This fix just always syncs types after writing undefined to locals, presumably a rare operation.

http://hg.mozilla.org/projects/jaegermonkey/rev/66f61893f67d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: