Closed Bug 1064054 Opened 10 years ago Closed 10 years ago

Assertion failure: name != cx->names().proto (should have used JSOP_MUTATEPROTO), at jit/BaselineIC.cpp:7664

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla35

Tracking Flags:

Tracking

Status

firefox35

---

affected

People

(Reporter: decoder, Assigned: Waldo)

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature 10 years ago Christian Holler (:decoder) 373 bytes, text/plain		Details
Remove now-invalid assertion 10 years ago Jeff Walden [:Waldo] 1.96 KB, patch	shu : review+	Details \| Diff \| Splinter Review

Christian Holler (:decoder)

Reporter

Description

•

10 years ago

The following testcase asserts on mozilla-central revision 2255d7d187b2 (run with --fuzzing-safe --no-threads --ion-eager):


Function("return { __proto__() {} }")();

Christian Holler (:decoder)

Reporter

Comment 1

•

10 years ago

Attached file [crash-signature] Machine-readable crash signature — Details

Christian Holler (:decoder)

Reporter

Comment 2

•

10 years ago

Fuzzblocker due to frequency.

status-firefox35: --- → affected

Whiteboard: [jsbugmon:update,bisect][fuzzblocker]

Till Schneidereit [:till]

Comment 3

•

10 years ago

Pretty sure that's Waldo's

Flags: needinfo?(jwalden+bmo)

Christian Holler (:decoder)

Reporter

Updated

•

10 years ago

Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

Christian Holler (:decoder)

Reporter

Comment 4

•

10 years ago

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8acb4009398c
user:        Jeff Walden
date:        Sat Aug 30 14:27:19 2014 -0700
summary:     Bug 1061853 - Reintroduce PNK_MUTATEPROTO to distinguish ({ __proto__: v }) as mutating the [[Prototype]] from ({ __proto__() {} }) as not doing so.  r=shu

This iteration took 359.865 seconds to run.

Jeff Walden [:Waldo]

Assignee

Comment 5

•

10 years ago

Attached patch Remove now-invalid assertion — Details — Splinter Review

JSOP_INITPROP is now used with __proto__ in rare cases, so remove the assertion here.  Also add tests for all the non-prototype-mutating definition flavors that were in the object-literal-__proto__.js test previously landed.

Attachment #8486130 - Flags: review?(shu)

Jeff Walden [:Waldo]

Assignee

Updated

•

10 years ago

Assignee: nobody → jwalden+bmo

Status: NEW → ASSIGNED

Jeff Walden [:Waldo]

Assignee

Updated

•

10 years ago

Flags: needinfo?(jwalden+bmo)

Shu-yu Guo [:shu]

Updated

•

10 years ago

Attachment #8486130 - Flags: review?(shu) → review+

Jeff Walden [:Waldo]

Assignee

Comment 6

•

10 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/206d9ecf4063

Flags: in-testsuite+

Carsten Book [:Tomcat]

Comment 7

•

10 years ago

https://hg.mozilla.org/mozilla-central/rev/206d9ecf4063

Status: ASSIGNED → RESOLVED

Closed: 10 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla35

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: name != cx->names().proto (should have used JSOP_MUTATEPROTO), at jit/BaselineIC.cpp:7664

Categories

(Core :: JavaScript Engine: JIT, defect)

Tracking

()

People

(Reporter: decoder, Assigned: Waldo)

References

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Updated

Updated

Updated

Comment 6

Comment 7

Attachment

General

Description

File Name

Content Type