Closed Bug 452476 Opened 12 years ago Closed 12 years ago

TM: "Assertion failure: !cx->runningJittedCode" with getter, array comprehension

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

./js -j b6.js
Assertion failure: !cx->runningJittedCode, at jsinterp.cpp:2571

For some reason, it doesn't crash when the code is pasted into the interactive js shell.  Here's b6.js:

for(i = 0; i < 5; ++i) this["n" + i] = 1;
__defineGetter__('w', function(){}); 
[1 for each (g in this) for each (t in /x/g)];

Variants of the testcase crash in different ways, making this bug especially annoying for me when I'm trying to fuzz:
* Crash [@ js_ExecuteTree]
* Crash [@ TraceRecorder::getThis]
* Assertion failure: kind == MapGCFlagsToTraceKind(*flagp), at jsgc.cpp:2525
* Assertion failure: !JS_TRACE_MONITOR(cx).recorder ^ (jumpTable == recordingJumpTable), at jsinterp.cpp:3268

For example, changing the '5' to the '3' in the first line turns it into the last assertion.
This is a dup of bug 451657, and I want to smoke out all paths that reach that assertion and botch it. But to avoid mixing issues that might end up separate, and to keep bugs shorter, I'll use bug 451657 as a tracking bug. It will probably have a patch land for it, at some point, and then be closed. Anything after will need a new tracking bug, or ideally just one or two specific bugs. Sound ok?

/be
Depends on: 451657
WFM with this testcase now.
Summary: "Assertion failure: !cx->runningJittedCode" with getter, array comprehension → TM: "Assertion failure: !cx->runningJittedCode" with getter, array comprehension
This is fixed now, I think by the patch for bug 453411.

/be
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-452476.js,v  <--  regress-452476.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/b04c04268a94
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.