Closed Bug 327608 Opened 18 years ago Closed 18 years ago

Crash [@ js_SetCallVariable] or "Assertion failure: prop, at jsfun.c:1046"

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [rft-dl])

Crash Data

Attachments

(2 files)

testcase
419 bytes, text/html
Details
Proposed fix
963 bytes, patch
brendan
: review+
brendan
: approval-branch-1.8.1+
brendan
: approval1.8.0.2+
Details | Diff | Splinter Review 
Steps to reproduce:
  1. Make sure the testcase is allowed to open popup windows (to force GC).
  2. Load the testcase.

Result:
  Mac debug: Always aborts with "Assertion failure: prop, at jsfun.c:1046"
  Mac nightly: Sometimes crashes [@ js_SetCallVariable].
  
Expected:
  No crash or assertion failure.

I spent many hours trying to create a reduced testcase for this crash.  I hope it's useful.
Attached file testcase 

    
  
OS: MacOS X → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fixSplinter Review
      

    


  
We can't assume that we're going to find the prototype property -- we'd normally find it on the proto chain, but that's been severed!
Assignee: general → mrbkap
Status: NEW → ASSIGNED

        Attachment #212284 -
        Flags: review?(brendan)

    
    

    
  
Comment on attachment 212284 [details] [diff] [review]
Proposed fix

No-brainer for branches.

/be

        Attachment #212284 -
        Flags: review?(brendan)

        Attachment #212284 -
        Flags: review+

        Attachment #212284 -
        Flags: approval1.8.0.2+

        Attachment #212284 -
        Flags: approval-branch-1.8.1+

    
    

    
  
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
Resolution: --- → FIXED

    
    

    
  
Verified fixed using today's Mac nightly.
Status: RESOLVED → VERIFIED
Flags: blocking1.8.0.2? → blocking1.8.0.2+

    
    

    
  
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, 
          
            fixed1.8.1

    
    

    
  
Checking in regress-327608.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-327608.js,v  <--  regress-327608.js
initial revision: 1.1
done

Flags: testcase+

    
    

    
  
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates) since in-testsuite+ indicates a test case exists in the js test library.
Whiteboard: [rft-dl]

    
    

    
  
v ff 1.8.0.1/1.8/1.9 20060302 win/linux/mac
Keywords: fixed1.8.0.2, 
          
            fixed1.8.1verified1.8.0.2, 
          
            verified1.8.1
Crash Signature: [@ js_SetCallVariable]
Flags: blocking1.8.1?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: