Closed
Bug 1096789
Opened 11 years ago
Closed 11 years ago
Assertion failure: obj->isNative(), at vm/NativeObject.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
8.57 KB,
text/plain
|
Details |
x = wrap({});
Proxy.create(Object, x)
Array.prototype.shift.call(x)
asserts js debug shell on m-c changeset cbe6afcae26c with --no-ion --no-threads at Assertion failure: obj->isNative(), at vm/NativeObject.cpp.
Debug configure options:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/fd58d09bcf1c
user: Jason Orendorff
date: Sat Oct 18 16:49:50 2014 -0500
summary: Bug 1090537, part 8 - In SetPropertyHelper, if defining a new data property, define it on receiver, not obj. r=efaust.
Jason, is bug 1090537 a possible regressor?
Flags: needinfo?(jorendorff)
|
Reporter | |
Comment 1•11 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0xbf7dc, 0x006ceafb js-dbg-opt-32-dm-nsprBuild-darwin-cbe6afcae26c`PurgeScopeChain(js::ExclusiveContext*, JS::Handle<JSObject*>, JS::Handle<jsid>) [inlined] JSObject::lastProperty(this=<unavailable>, this=<unavailable>, flag=<unavailable>) const + 15 at jsobj.h:129, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x006ceafb js-dbg-opt-32-dm-nsprBuild-darwin-cbe6afcae26c`PurgeScopeChain(js::ExclusiveContext*, JS::Handle<JSObject*>, JS::Handle<jsid>) [inlined] JSObject::lastProperty(this=<unavailable>, this=<unavailable>, flag=<unavailable>) const + 15 at jsobj.h:129
frame #1: 0x006ceaec js-dbg-opt-32-dm-nsprBuild-darwin-cbe6afcae26c`PurgeScopeChain(js::ExclusiveContext*, JS::Handle<JSObject*>, JS::Handle<jsid>) [inlined] JS::Handle<JSObject*>::operator->(this=<unavailable>) const at jsobj.h:216
frame #2: 0x006ceaec js-dbg-opt-32-dm-nsprBuild-darwin-cbe6afcae26c`PurgeScopeChain(cx=<unavailable>, obj=<unavailable>, id=<unavailable>) + 380 at NativeObject.cpp:1392
frame #3: 0x006d16a6 js-dbg-opt-32-dm-nsprBuild-darwin-cbe6afcae26c`bool SetPropertyByDefining<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, bool) [inlined] js::BarrieredBase<js::types::TypeObject*>::operator->(this=<unavailable>) const + 134 at jsinfer.h:1061
frame #4: 0x006d1692 js-dbg-opt-32-dm-nsprBuild-darwin-cbe6afcae26c`bool SetPropertyByDefining<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, bool) [inlined] JS::Handle<JSObject*>::operator->(this=<unavailable>) const + 2 at jsobj.h:138
(lldb)
|
||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 3•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision cf9eafef4ffa).
|
|
Reporter | |
Comment 4•11 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/430b12e87f20
user: Jason Orendorff
date: Mon Nov 10 16:53:04 2014 -0600
summary: Bug 1095973 - Fix crash @PurgeProtoChain introduced by 1090537. r=efaust.
Is bug 1095973 a likely fix? If so, is the testcase in comment 0 still needed?
|
||
Comment 5•11 years ago
|
||
Yes, bug 1095973 is definitely the fix. I think the testcase would be a fine addition.
Flags: needinfo?(jorendorff)
|
|
Reporter | |
Comment 6•11 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #5)
> Yes, bug 1095973 is definitely the fix. I think the testcase would be a fine
> addition.
Fixed by bug 1095973, then. Setting in-testsuite? for landing of the testcase.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
You need to log in
before you can comment on or make changes to this bug.
Description
•