Closed
Bug 458857
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: ngslots == tm->globalTypeMap->length()" with gc and generator as getters
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
WORKSFORME
mozilla1.9.1b2
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: assertion, crash, testcase)
$ cat d3.js var h = {}; for (let i = 0; i < 5; ++i) h["a" + i] = function(){}; h.__defineGetter__('r', gc); h.__defineGetter__('q', function() { yield; }); h.__defineSetter__('r', function() { }); for (x in h) { } [1 for each (x in h) if ('')]; $ ~/tracemonkey/js/src/Darwin_DBG.OBJ/js -j d3.js before 28716, after 20480, break 00400000 Assertion failure: ngslots == tm->globalTypeMap->length(), at jstracer.cpp:2656 This bug can also cause a null deref in js_ExecuteTree.
Updated•16 years ago
|
Flags: blocking1.9.1+
Priority: -- → P2
Target Milestone: --- → mozilla1.9.1b2
Reporter | ||
Comment 1•16 years ago
|
||
Because my script for tracking known jsfunfuzz crashes ignores stack position, the js_ExecuteTree crash here may prevent me from noticing many other crashes.
Comment 2•16 years ago
|
||
js1_6/extensions/regress-455464-04.js also shows this
Updated•16 years ago
|
Assignee: general → danderson
CallIteratorNext is calling back into native code from on trace, which is a problem - but worse a GC hits and pulls everything out from under our feet.
Assignee: danderson → brendan
Reporter | ||
Comment 4•16 years ago
|
||
Bug 461915 might be related.
Reporter | ||
Comment 5•16 years ago
|
||
The patch for bug 458851 seems to have fixed bug 461915 but not this bug.
Assignee | ||
Comment 6•16 years ago
|
||
(In reply to comment #3) > CallIteratorNext is calling back into native code from on trace, which is a > problem - but worse a GC hits and pulls everything out from under our feet. See bug 462042. I'll focus on generator aspects here and leave GC not pulling everything out from under our feet for that bug. /be
Comment 7•16 years ago
|
||
WFM. I fixed the cause so I am comfortable closing.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 9•16 years ago
|
||
Filed bug 465225 on another crash caused by this testcase.
You need to log in
before you can comment on or make changes to this bug.
Description
•