Closed Bug 472599 Opened 16 years ago Closed 16 years ago

TM: "Assertion failure: JSVAL_IS_INT(STOBJ_GET_SLOT(callee_obj, JSSLOT_PRIVATE))" with __proto__, call, toString

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: Waldo)

Details

(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Check for function-ness
5.64 KB, patch
gal
: review+
brendan
: review-
Details | Diff | Splinter Review 
var a = (function(){}).prototype;
a.__proto__ = a.toString;
for (var i = 0; i < 4; ++i) { try{ a.call({}); } catch(e) { } }

Assertion failure: JSVAL_IS_INT(STOBJ_GET_SLOT(callee_obj, JSSLOT_PRIVATE)), at ../jstracer.cpp:6686

Similar to bug 469761, which mrbkap fixed a few weeks ago.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED

        Attachment #356465 -
        Flags: review?(gal)

    
    

    
  
Comment on attachment 356465 [details] [diff] [review]
Check for function-ness

I am usually against mixing comment fixes and code fixes, but on the other hand we need more code documentation and I like the text so what the hell.

        Attachment #356465 -
        Flags: review?(gal) → review+

    
    

    
  
Comment on attachment 356465 [details] [diff] [review]
Check for function-ness

>+/*
>+ * Call a function with the global object as the this value and with arguments
>+ * provided on the stack, consuming the function and arguments and replacing
>+ * them with the value returned from the function call. The topmost values on
>+ * the stack are the arguments (with the last argument at the top of the
>+ * stack), followed by the function to be called.  The number of arguments is a
>+ * 24-bit immediate operand to the instruction.

At least three bugs here:

1. The |this| parameter is not the global object, it's pushed already (argv[-1]) and may be any object, or null -- or a primitive for flagged natives.

2. The sentence "The topmost values on the stack are the arguments (with the last argument at the top of the stack), followed by the function to be called" does not mention |this|, even to rationalize it as an argument (argv[-1]).

3. The opcode has JOF_UINT16 format type, not JOF_UINT24.

Documentation like this is better done in a wiki, for easier incremental fixing and improving. The comment lines could easily dwarf non-comment lines, obscuring which column is which, making harder inter-op comparisons by readers.

The jsopcode.tbl change should be left out of the patch for this bug. Minus for it.

/be

        Attachment #356465 -
        Flags: review-

    
    

    
  
Checked in without the docs changes.
Flags: wanted1.9.1?
Whiteboard: fixed-in-tracemonkey

    
    

    
  
Brendan gave a - for the jsopcode.tbl change. Did you remove that?

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/9043aef7fffe
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: wanted1.9.1? → wanted1.9.1+
Resolution: --- → FIXED

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/6e5c9f1d6420
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-472599.js,v  <--  regress-472599.js
initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-

    
    

    
  
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: