Closed Bug 455775 Opened 13 years ago Closed 13 years ago

"Assertion failure: cx->fp->flags & JSFRAME_EVAL" with new

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: assertion, testcase)

Attachments

(1 file, 1 obsolete file)

./js
js> (function() { var c; eval("new (c ? 1 : {});"); })();

Assertion failure: cx->fp->flags & JSFRAME_EVAL, at jsopcode.cpp:2735

Happens on mozilla-central and tracemonkey branch, does not require -j.
Attached patch Proposed fix (obsolete) — Splinter Review
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #339129 - Flags: review?(brendan)
What frame is being skipped by the patch? We shouldn't push a new one for a primitive value as constructor, or an object that has no [[Construct]] internal method (to use ECMA's term).

/be
The problem is that js_Invoke (called from js_InvokeConstructor) sees that js_ObjectOps has a construct hook and is more than happy to call *that*, which pushes a frame onto cx->fp. Then, js_Construct notices that the given object doesn't have a construct *class* hook and reports the error.
Comment on attachment 339129 [details] [diff] [review]
Proposed fix

Sigh. Comment that a bit?

/be
Attachment #339129 - Flags: review?(brendan) → review+
Attached patch UpdatedSplinter Review
Here's the interdiff:

diff --git a/js/src/jsopcode.cpp b/js/src/jsopcode.cpp
--- a/js/src/jsopcode.cpp
+++ b/js/src/jsopcode.cpp
@@ -2732,6 +2732,11 @@ Decompile(SprintStack *ss, jsbytecode *p
                     /*
                      * We must be in an eval called from jp->fun, where
                      * jp->script is the eval-compiled script.
+                     *
+                     * However, it's possible that a js_Invoke already
+                     * pushed a frame trying to call js_Construct on an
+                     * object that's not a constructor, causing us to be
+                     * called with an intervening frame on the stack.
                      */
                     fp = cx->fp;
                     while (!(fp->flags & JSFRAME_EVAL))
Attachment #339129 - Attachment is obsolete: true
Attachment #340487 - Flags: review?(brendan)
Comment on attachment 340487 [details] [diff] [review]
Updated

Already r+'ed, wahh!

/be
Attachment #340487 - Flags: review?(brendan) → review+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-455775.js,v  <--  regress-455775.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/b04c04268a94
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.