Closed Bug 463259 Opened 11 years ago Closed 11 years ago

"Assertion failure: VALUE_IS_FUNCTION(cx, fval)"

Categories

(Core :: JavaScript Engine, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9.1b2

People

(Reporter: jruderman, Assigned: brendan)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(2 files, 1 obsolete file)

Attached file stack trace
(function(){
  eval("(function(){ for (var j=0;j<4;++j) if (j==3) undefined(); })();");
})();

Assertion failure: VALUE_IS_FUNCTION(cx, fval), at ../jstracer.cpp:5278

Yay, "branch instability" in jsfunfuzz found a bug!

I think this is a regression from the last day or so.  jsfunfuzz is hitting it a lot.
Regression from patch for bug 462989.

/be
Assignee: general → brendan
Blocks: 462989
Status: NEW → ASSIGNED
Flags: blocking1.9.1?
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b2
WFM with TM tip.
Attached patch fix (obsolete) — Splinter Review
We could check in JSOP_CALLNAME's recorder but this checking matches the interpreter and it is the smallest change. The JSVAL_IS_FUNCTION check being in guardShapelessCallee was an optimization that depended on bug 462989.

/be
Attachment #346539 - Flags: review?(gal)
Still happens for me with TM tip.
Attached patch fixSplinter Review
mrbkap pointed out a few things...

/be
Attachment #346539 - Attachment is obsolete: true
Attachment #346540 - Flags: review?(mrbkap)
Attachment #346539 - Flags: review?(gal)
Attachment #346540 - Flags: review?(mrbkap) → review+
Fixed:

http://hg.mozilla.org/tracemonkey/rev/c251a3dde8f8

/be
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/mozilla-central/rev/37b3fdbb0f07
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-463259.js,v  <--  regress-463259.js
initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.