Closed
Bug 1202522
Opened 10 years ago
Closed 10 years ago
Assertion failure: this->is<T>(), at jsobj.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
3.97 KB,
text/plain
|
Details |
function g(f) {
for (var j = 0; j < 999; ++j) {
try {
f();
} catch (e) {
e.toString();
}
}
}
s = newGlobal();
s.g = g;
function ff(code) {
try {
evalcx(code, s);
} catch (e) {}
}
ff("[;");
ff("function m()[]();3[[],[]](/x/);");
ff("g(m,[]);Uint8Array(new ArrayBuffer);");
ff("function n()''(y);g(n,[Math.I,Number.MIN_VALUE]);");
ff("'use strict';gcparam('maxBytes',gcparam('gcBytes'));eval('');");
asserts js debug shell on m-c changeset e816a7a854a3 with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: this->is<T>(), at jsobj.h
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r e816a7a854a3
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/ea0a468b66e1
user: Shu-yu Guo
date: Sun Aug 30 15:08:19 2015 -0700
summary: Bug 1193583 - Support emitting block scopes in the prologue. (r=jorendorff)
changeset: https://hg.mozilla.org/mozilla-central/rev/4fe7fc076419
user: Shu-yu Guo
date: Sun Aug 30 15:08:19 2015 -0700
summary: Bug 1193583 - Fix eval to always execute under a non-extensible lexical scope. (r=jorendorff)
Shu-yu, is bug 1193583 a likely regressor?
Flags: needinfo?(shu)
|
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x8ec39, 0x0000000100313b8a js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::settle() + 52 at jsobj.h:547, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100313b8a js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::settle() + 52 at jsobj.h:547
frame #1: 0x0000000100313b56 js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::settle(this=<unavailable>) + 1878 at ScopeObject.cpp:1129
frame #2: 0x00000001003142b3 js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::ScopeIter::operator++(this=0x00007fff5fbfb558) + 291 at ScopeObject.cpp:1163
frame #3: 0x000000010025d6d3 js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::UnwindAllScopesInFrame(cx=<unavailable>, si=<unavailable>) + 35 at Interpreter.cpp:1293
frame #4: 0x000000010075826f js-dbg-64-dm-nsprBuild-darwin-e816a7a854a3`js::jit::DebugEpilogue(cx=0x000000010284c400, frame=0x00007fff5fbfbd18, pc=<unavailable>, ok=<unavailable>) + 223 at VMFunctions.cpp:698
(lldb)
|
||
Comment 2•10 years ago
|
||
Jon got to this one before I did in bug 1155618. The relevant snippet is:
+ // Check for trying to iterate a strict eval frame before the prologue has
+ // created the CallObject.
+ if (frame_ && frame_.isStrictEvalFrame() && !frame_.hasCallObj() && !ssi_.done()) {
+ MOZ_ASSERT(ssi_.type() == StaticScopeIter<CanGC>::Block);
+ incrementStaticScopeIter();
+ MOZ_ASSERT(ssi_.type() == StaticScopeIter<CanGC>::Eval);
+ incrementStaticScopeIter();
+ }
+
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(shu)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•