Closed
Bug 1172150
Opened 8 years ago
Closed 8 years ago
Assertion failure: newTarget.isObject(), at vm/Interpreter.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla41
| Tracking | Status | |
|---|---|---|
| firefox41 | --- | fixed |
People
(Reporter: gkw, Assigned: efaust)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
3.66 KB,
text/plain
|
Details | |
|
1.22 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
new '' (...Array()) asserts js debug shell on m-c changeset 555c96db9c33 with --fuzzing-safe --no-threads --no-ion at Assertion failure: newTarget.isObject(), at vm/Interpreter.cpp. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 555c96db9c33 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/02a02fcab9eb user: Eric Faust date: Wed Jun 03 02:01:14 2015 -0700 summary: Bug 1141865 - Part 2: Plumb new.target on the stack and make it accessible to JSNatives. (r=jorendorff, r=jandem, r=shu) Eric, is bug 1141865 a likely regressor?
Flags: needinfo?(efaustbmo)
|
Reporter | |
Comment 1•8 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0xab07f, 0x0000000100230b17 js-dbg-64-dm-nsprBuild-darwin-555c96db9c33`js::SpreadCallOperation(cx=<unavailable>, script=<unavailable>, pc=0x0000000101fa429e, thisv=<unavailable>, callee=<unavailable>, arr=<unavailable>, newTarget=<unavailable>, res=<unavailable>) + 1543 at Interpreter.cpp:4591, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100230b17 js-dbg-64-dm-nsprBuild-darwin-555c96db9c33`js::SpreadCallOperation(cx=<unavailable>, script=<unavailable>, pc=0x0000000101fa429e, thisv=<unavailable>, callee=<unavailable>, arr=<unavailable>, newTarget=<unavailable>, res=<unavailable>) + 1543 at Interpreter.cpp:4591
frame #1: 0x000000010021f518 js-dbg-64-dm-nsprBuild-darwin-555c96db9c33`Interpret(cx=0x0000000101fa5180, state=0x00007fff5fbfef88) + 44712 at Interpreter.cpp:2917
frame #2: 0x00000001002145f5 js-dbg-64-dm-nsprBuild-darwin-555c96db9c33`js::RunScript(cx=0x0000000101fa5180, state=0x00007fff5fbfef88) + 405 at Interpreter.cpp:652
frame #3: 0x000000010022abb7 js-dbg-64-dm-nsprBuild-darwin-555c96db9c33`js::ExecuteKernel(cx=0x0000000101fa5180, script=<unavailable>, scopeChainArg=0x000000010385a060, thisv=0x00007fff5fbff0c8, newTargetValue=0x00007fff5fbff0c0, type=EXECUTE_GLOBAL, evalInFrame=<unavailable>, result=<unavailable>) + 1191 at Interpreter.cpp:887
frame #4: 0x000000010022af47 js-dbg-64-dm-nsprBuild-darwin-555c96db9c33`js::Execute(cx=0x0000000101fa5180, script=<unavailable>, scopeChainArg=<unavailable>, rval=0x0000000000000000) + 455 at Interpreter.cpp:926
(lldb)
|
Assignee | |
Comment 2•8 years ago
|
||
Yeah, that assert is bogus. The value is correctly the string we are trying to invoke. We just haven't gotten around to noticing it's not a constructor yet. Removing the assert yields the expected TypeError.
Assignee: nobody → efaustbmo
Flags: needinfo?(efaustbmo)
Attachment #8616331 -
Flags: review?(bzbarsky)
|
|
||
Comment 3•8 years ago
|
||
Comment on attachment 8616331 [details] [diff] [review] Fix r=me
Attachment #8616331 -
Flags: review?(bzbarsky) → review+
|
||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/910fc75ab5eb
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
You need to log in
before you can comment on or make changes to this bug.
Description
•