TM: "Assertion failure: !cx->runningJittedCode" with getter, array comprehension

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
x86
Mac OS X
assertion, crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
./js -j b6.js
Assertion failure: !cx->runningJittedCode, at jsinterp.cpp:2571

For some reason, it doesn't crash when the code is pasted into the interactive js shell.  Here's b6.js:

for(i = 0; i < 5; ++i) this["n" + i] = 1;
__defineGetter__('w', function(){}); 
[1 for each (g in this) for each (t in /x/g)];

Variants of the testcase crash in different ways, making this bug especially annoying for me when I'm trying to fuzz:
* Crash [@ js_ExecuteTree]
* Crash [@ TraceRecorder::getThis]
* Assertion failure: kind == MapGCFlagsToTraceKind(*flagp), at jsgc.cpp:2525
* Assertion failure: !JS_TRACE_MONITOR(cx).recorder ^ (jumpTable == recordingJumpTable), at jsinterp.cpp:3268

For example, changing the '5' to the '3' in the first line turns it into the last assertion.
This is a dup of bug 451657, and I want to smoke out all paths that reach that assertion and botch it. But to avoid mixing issues that might end up separate, and to keep bugs shorter, I'll use bug 451657 as a tracking bug. It will probably have a patch land for it, at some point, and then be closed. Anything after will need a new tracking bug, or ideally just one or two specific bugs. Sound ok?

/be
Depends on: 451657
(Reporter)

Comment 2

10 years ago
WFM with this testcase now.

Updated

10 years ago
Summary: "Assertion failure: !cx->runningJittedCode" with getter, array comprehension → TM: "Assertion failure: !cx->runningJittedCode" with getter, array comprehension
This is fixed now, I think by the patch for bug 453411.

/be
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 4

10 years ago
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-452476.js,v  <--  regress-452476.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/b04c04268a94
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.