Closed Bug 449666 Opened 15 years ago Closed 15 years ago

TM: Assertion failure: JSSTRING_IS_FLAT during trace recording

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sayrer, Assigned: sayrer)

References

(
URL
)

Details

(Keywords: assertion, testcase)

Attachments

(4 files)

native and JS stack traces
8.91 KB, text/plain
Details
test case
821 bytes, text/html
Details
shell test case
804 bytes, text/plain
Details
fix
1.09 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
Hitting this on blogspot.com blogs
Blocks: landtm

    
    

    
  

      
      
      
      

        Attached file
          
        test case
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        shell test case
      

    


  

    
  

        Attachment #332809 -
        Attachment mime type: application/x-javascript → text/plain

    
    

    
  
We have some parts that require flat strings, but they should be guarded, and I wouldn't expect to see quite that stack.

    
    

    
  
Easy to fix: tracer needs to js_InternNonIntElementId (as interpreter JSOP_GETELEM case code will shortly -- so tracer should update the stack slot to save a redundant intern'ing). Anyone want to grab this, it's easy?

/be

    
  
Keywords: assertion, 
          
            testcase

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  

        Attachment #333103 -
        Flags: review?(brendan)

    
    

    
  
Comment on attachment 333103 [details] [diff] [review]
fix

>+        JSObject *obj = JSVAL_TO_OBJECT(l);
>+
>+        if (!js_InternNonIntElementId(cx, obj, r, &id))
>+            return false;

Looks good, only thought is to cut through the E4X fog by calling js_ValueToStringId instead (js_InternNonIntElementId takes obj only to check whether it's XML, and if not just calls js_ValueToStringId). We know r is a string here, not an object (not a QName, an E4X compound identifier). Modularity is secondary both given how tight the tracer is with the interpreter, and because we have weeded out non-string r cases already.

r=me with that if you buy it, else as is.

/be

        Attachment #333103 -
        Flags: review?(brendan) → review+

    
  
Assignee: general → sayrer

    
    

    
  
http://hg.mozilla.org/index.cgi/tracemonkey/rev/537fe0d1d47e
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/422f9867bff9
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-449666.js,v  <--  regress-449666.js
initial revision: 1.1
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.