Closed
Bug 1202522
Opened 9 years ago
Closed 9 years ago
Assertion failure: this->is<T>(), at jsobj.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox43 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
3.97 KB,
text/plain
|
Details |
function g(f) { for (var j = 0; j < 999; ++j) { try { f(); } catch (e) { e.toString(); } } } s = newGlobal(); s.g = g; function ff(code) { try { evalcx(code, s); } catch (e) {} } ff("[;"); ff("function m()[]();3[[],[]](/x/);"); ff("g(m,[]);Uint8Array(new ArrayBuffer);"); ff("function n()''(y);g(n,[Math.I,Number.MIN_VALUE]);"); ff("'use strict';gcparam('maxBytes',gcparam('gcBytes'));eval('');"); asserts js debug shell on m-c changeset e816a7a854a3 with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: this->is<T>(), at jsobj.h Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r e816a7a854a3 Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/ea0a468b66e1 user: Shu-yu Guo date: Sun Aug 30 15:08:19 2015 -0700 summary: Bug 1193583 - Support emitting block scopes in the prologue. (r=jorendorff) changeset: https://hg.mozilla.org/mozilla-central/rev/4fe7fc076419 user: Shu-yu Guo date: Sun Aug 30 15:08:19 2015 -0700 summary: Bug 1193583 - Fix eval to always execute under a non-extensible lexical scope. (r=jorendorff) Shu-yu, is bug 1193583 a likely regressor?
Flags: needinfo?(shu)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x8ec39, 0x0000000100313b8a js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::settle() + 52 at jsobj.h:547, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100313b8a js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::settle() + 52 at jsobj.h:547 frame #1: 0x0000000100313b56 js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::settle(this=<unavailable>) + 1878 at ScopeObject.cpp:1129 frame #2: 0x00000001003142b3 js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::operator++(this=0x00007fff5fbfb558) + 291 at ScopeObject.cpp:1163 frame #3: 0x000000010025d6d3 js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::UnwindAllScopesInFrame(cx=<unavailable>, si=<unavailable>) + 35 at Interpreter.cpp:1293 frame #4: 0x000000010075826f js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::jit::DebugEpilogue(cx=0x000000010284c400, frame=0x00007fff5fbfbd18, pc=<unavailable>, ok=<unavailable>) + 223 at VMFunctions.cpp:698 (lldb)
Comment 2•9 years ago
|
||
Jon got to this one before I did in bug 1155618. The relevant snippet is: + // Check for trying to iterate a strict eval frame before the prologue has + // created the CallObject. + if (frame_ && frame_.isStrictEvalFrame() && !frame_.hasCallObj() && !ssi_.done()) { + MOZ_ASSERT(ssi_.type() == StaticScopeIter<CanGC>::Block); + incrementStaticScopeIter(); + MOZ_ASSERT(ssi_.type() == StaticScopeIter<CanGC>::Eval); + incrementStaticScopeIter(); + } +
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•