Closed
Bug 418989
Opened 17 years ago
Closed 17 years ago
js_FillPropertyCache Asserts and dies
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9beta5
People
(Reporter: MikeM, Assigned: brendan)
References
Details
Attachments
(1 file)
3.05 KB,
patch
|
shaver
:
review+
|
Details | Diff | Splinter Review |
js_FillPropertyCache trips on the following assert:
------------------
JS_ASSERT_IF(scopeIndex == 0,
protoIndex != 1 || OBJ_GET_PROTO(cx, obj) == pobj);
------------------
protoIndex is set to 1 and scopeIndex is 0
I just pulled down the latest code form the trunk a few hours ago.
Here's the call stack
------------
JS_Assert(const char * s=0x101e2fdc, const char * file=0x101e2fcc, int ln=223) Line 59 C
js_FillPropertyCache(JSContext * cx=0x034daf30, JSObject * obj=0x03d12000, unsigned long kshape=243, unsigned int scopeIndex=0, unsigned int protoIndex=1, JSObject * pobj=0x03d12d80, JSScopeProperty * sprop=0x03537900, JSPropCacheEntry * * entryp=0x03d0ec20) Line 223 + 0x2e bytes C
js_FindPropertyHelper(JSContext * cx=0x034daf30, long id=64041076, JSObject * * objp=0x03d0edfc, JSObject * * pobjp=0x03d0ee80, JSProperty * * propp=0x03d0ede8, JSPropCacheEntry * * entryp=0x03d0ec20) Line 3418 + 0x2b bytes C
js_Interpret(JSContext * cx=0x034daf30, unsigned char * pc=0x033cdaeb, long * result=0x03d0eefc) Line 4748 + 0x26 bytes C
js_Execute(JSContext * cx=0x034daf30, JSObject * chain=0x03d12000, JSScript * script=0x033cda10, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x03d0f0e8) Line 1649 + 0x13 bytes C
JS_ExecuteScript(JSContext * cx=0x034daf30, JSObject * obj=0x03d12000, JSScript * script=0x033cda10, long * rval=0x03d0f0e8) Line 4823 + 0x19 bytes C
Reporter | ||
Comment 1•17 years ago
|
||
Any help on this would be appreciated.
Debugging in release mode builds is getting old. :-)
I'd be glad to "fix" it with a little guidance...
Assignee | ||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•17 years ago
|
||
This bug was not fixed by bug #418139.
Here's another call stack illustrating the problem:
JS_Assert(const char * s=0x101dc68c, const char * file=0x101dc65c, int ln=250) Line 59 C
js_FillPropertyCache(JSContext * cx=0x034db5c0, JSObject * obj=0x03d11000, unsigned long kshape=503, unsigned int scopeIndex=0, unsigned int protoIndex=1, JSObject * pobj=0x03d11020, JSScopeProperty * sprop=0x031c2b48, JSPropCacheEntry * * entryp=0x03d0ec50) Line 250 + 0x2e bytes C
js_FindPropertyHelper(JSContext * cx=0x034db5c0, long id=64042404, JSObject * * objp=0x03d0ee30, JSObject * * pobjp=0x03d0eeb4, JSProperty * * propp=0x03d0ee1c, JSPropCacheEntry * * entryp=0x03d0ec50) Line 3418 + 0x2b bytes C
js_Interpret(JSContext * cx=0x034db5c0, unsigned char * pc=0x034cd4e3, long * result=0x03d0ef44) Line 4921 + 0x26 bytes C
js_Execute(JSContext * cx=0x034db5c0, JSObject * chain=0x03d11000, JSScript * script=0x034cd080, JSStackFrame * down=0x00000000, unsigned int flags=2048, long * result=0x03d0f11c) Line 1509 + 0x13 bytes C
JS_ExecuteScript(JSContext * cx=0x034db5c0, JSObject * obj=0x03d11000, JSScript * script=0x034cd080, long * rval=0x03d0f11c) Line 4823 + 0x19 bytes C
I pulled down the HEAD today.
Let me know if you need anything else.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Assignee | ||
Comment 4•17 years ago
|
||
MikeM: are you calling JS_SetPrototype in your code?
What is the relation, if any, of pobj and obj along the prototype chain of obj? Start from (JSObject *)obj->fslots[0] and keep following fslots[0] till you hit null or pobj.
/be
Reporter | ||
Comment 5•17 years ago
|
||
(In reply to comment #4)
> MikeM: are you calling JS_SetPrototype in your code?
No.
>
> What is the relation, if any, of pobj and obj along the prototype chain of obj?
> Start from (JSObject *)obj->fslots[0] and keep following fslots[0] till you hit
> null or pobj.
>
// was null from the begining.
+ (JSObject *)obj->fslots[0] 0x00000000 {map=??? fslots=0x00000004 dslots=??? } JSObject *
Here are the other objects.
+ pobj 0x03d11020 {map=0x034b9898 fslots=0x03d11024 dslots=0x031c923c } JSObject *
+ obj 0x03d11000 {map=0x034b9620 fslots=0x03d11004 dslots=0x031cabb4 } JSObject *
Let me know what else you want to see.
Assignee | ||
Comment 6•17 years ago
|
||
Best if you can hop on IRC and /query me (brendan or brendan_work) and we can avoid doing this via bugzilla.
Also, please file a new bug. This is not the same bug that was patched, and the patch that landed is a fix that won't be backed out. One bug per patch is best.
/be
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•17 years ago
|
||
Sorry, mixed this up with bug 418139. No patch here yet!
/be
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 8•17 years ago
|
||
Assigned this to you Brendan so it doesn't get lost...
Assignee: general → brendan
Status: REOPENED → NEW
Priority: -- → P2
Assignee | ||
Comment 9•17 years ago
|
||
Real bug, would like to patch for b5. MikeM's embedding does something unusual but it breaks the property cache and the fix is easy. I'd rather fix sooner.
/be
Status: NEW → ASSIGNED
Flags: blocking1.9?
Priority: P2 → P1
Target Milestone: --- → mozilla1.9beta5
Assignee | ||
Comment 10•17 years ago
|
||
MikeM, holler if this doesn't do it.
/be
Attachment #310182 -
Flags: review?(shaver)
Reporter | ||
Comment 11•17 years ago
|
||
Yes the fix is good. r+ from me!
Comment 12•17 years ago
|
||
Comment on attachment 310182 [details] [diff] [review]
fix
r=shaver -- I presume this is testable in shell?
Attachment #310182 -
Flags: review?(shaver) → review+
Assignee | ||
Comment 13•17 years ago
|
||
(In reply to comment #12)
> (From update of attachment 310182 [details] [diff] [review])
> r=shaver -- I presume this is testable in shell?
It should be possible to extend the "it" object and its_resolve to test this bug.
/be
Assignee | ||
Comment 15•17 years ago
|
||
Fixed -- will attend to the test after impending deadlines.
js/src/jsinterp.c 3.480
js/src/jsinterp.h 3.88
/be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•