Closed
Bug 475144
Opened 17 years ago
Closed 17 years ago
TM: "Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp" with eval, defineGetter, some
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Assigned: gal)
References
Details
(Keywords: assertion, testcase, verified1.9.1)
function a() {}
function b() {}
function c() {}
eval("this.__defineGetter__(\"\", function(){ return new Function } )");
[[].some for each (x in this) for each (y in /x/g)];
$ ./js-dbg-tm-intelmac -j 56a.js
Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp:3617
Trace/breakpoint trap (core dumped)
The testcase must be parsed in as a file into the TM js shell. TM-only, seems to work as expected in opt. I'm at tracemonkey revision 24101 which already incorporates bug 474771.
===
$ cat 56a.js
function a() {}
function b() {}
function c() {}
eval("this.__defineGetter__(\"\", function(){ return new Function } )");
[[].some for each (x in this) for each (y in /x/g)];
$ cd ~/tracemonkey/
$ hg log | head
changeset: 24101:716fe0739e2b
tag: tip
user: Andreas Gal <gal@mozilla.com>
date: Fri Jan 23 22:28:34 2009 -0800
summary: I heard fixing spelling mistakes makes the tinderboxes happy (106386, r=me).
Flags: wanted1.9.1?
|
Assignee | |
Comment 2•17 years ago
|
||
(gdb) bt
#0 JS_Assert (s=0x19720c "!JS_ON_TRACE(cx)", file=0x1967f0 "../jsobj.cpp", ln=3617) at ../jsutil.cpp:63
#1 0x0009cf79 in js_FindPropertyHelper (cx=0x30bbf0, id=2687084, objp=0xbfffbfe4, pobjp=0xbfffbfe0, propp=0xbfffbfc4, entryp=0xbfffbeb8) at ../jsobj.cpp:3617
#2 0x0007c08b in js_Interpret (cx=0x30bbf0) at ../jsinterp.cpp:5110
#3 0x0008bd03 in js_Invoke (cx=0x30bbf0, argc=0, vp=0x81fe18, flags=0) at jsinterp.cpp:1334
#4 0x0008c331 in js_InternalInvoke (cx=0x30bbf0, obj=0x28e000, fval=2705656, flags=0, argc=0, argv=0x0, rval=0xbfffc76c) at jsinterp.cpp:1391
#5 0x0008c58d in js_InternalGetOrSet (cx=0x30bbf0, obj=0x28e000, id=2686980, fval=2705656, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffc76c) at jsinterp.cpp:1452
#6 0x00098cd6 in js_NativeGet (cx=0x30bbf0, obj=0x28e000, pobj=0x28e000, sprop=0x810a10, vp=0xbfffc76c) at ../jsobj.cpp:3739
#7 0x0009ce01 in js_GetPropertyHelper (cx=0x30bbf0, obj=0x28e000, id=2686980, vp=0xbfffc76c, entryp=0x0) at ../jsobj.cpp:3890
#8 0x0009cec4 in js_GetProperty (cx=0x30bbf0, obj=0x28e000, id=2686980, vp=0xbfffc76c) at ../jsobj.cpp:3904
#9 0x0008e9cf in CallEnumeratorNext (cx=0x30bbf0, iterobj=0x28e200, flags=3, rval=0xbfffc76c) at ../jsiter.cpp:566
#10 0x0008ed6d in js_CallIteratorNext (cx=0x30bbf0, iterobj=0x28e200, rval=0xbfffc76c) at ../jsiter.cpp:600
#11 0x001883e3 in js_FastCallIteratorNext (cx=0x30bbf0, iterobj=0x28e200) at ../jsbuiltins.cpp:258
#12 0x00253fb0 in ?? ()
#13 0xbfffee38 in ?? ()
#14 0x00142b40 in js_MonitorLoopEdge (cx=0x30bbf0, inlineCallCount=@0xbffff2a0) at ../jstracer.cpp:3963
#15 0x000664e6 in js_Interpret (cx=0x30bbf0) at ../jsinterp.cpp:3084
#16 0x0008afd4 in js_Execute (cx=0x30bbf0, chain=0x28e000, script=0x30e000, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1562
#17 0x0000fd60 in JS_ExecuteScript (cx=0x30bbf0, obj=0x28e000, script=0x30e000, rval=0x0) at ../jsapi.cpp:5083
#18 0x00008b58 in Process (cx=0x30bbf0, obj=0x28e000, filename=0xbffffa1c "x.js", forceTTY=0) at ../../shell/js.cpp:429
#19 0x0000976e in ProcessArgs (cx=0x30bbf0, obj=0x28e000, argv=0xbffff920, argc=2) at ../../shell/js.cpp:804
#20 0x00009a0a in main (argc=2, argv=0xbffff920, envp=0xbffff92c) at ../../shell/js.cpp:4555
|
|
Assignee | |
Comment 3•17 years ago
|
||
We re-enter the interpreter here from trace. This is a dup of jorendorff's bug. I am cc'ing him so he can decide whether to dup this or just make it dependent.
|
|
Assignee | |
Updated•17 years ago
|
Severity: critical → major
Flags: blocking1.9.1?
Priority: -- → P2
|
|
Assignee | |
Comment 4•17 years ago
|
||
This should require no additional work on top of jorendorff's patch. I suggest b+ to make sure we actually test/close it when jorendorff's stuff lands.
|
||
Comment 5•17 years ago
|
||
jorendorff's patch in bug 462042?
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: blocking1.9.1+
|
|
Assignee | |
Comment 6•17 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=462027 will resolve this. I will retest when it lands.
|
|
Reporter | |
Comment 8•17 years ago
|
||
(In reply to comment #7)
> WFM with TM tip.
Apparently I forgot to resolve as WFM. Please verify this bug if possible.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 9•17 years ago
|
||
I nitpicked Andreas about this. We know what fixed this and other bugs blocked by of bug 462027, so this should be FIXED. WFM is for where the bug can't be repro'd and works for unknown reasons.
/be
Depends on: deepbail
Resolution: WORKSFORME → FIXED
|
|
Reporter | |
Updated•16 years ago
|
Summary: "Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp" with eval, defineGetter, some → TM: "Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp" with eval, defineGetter, some
|
||
Comment 11•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/bb04f44ae9c9
/cvsroot/mozilla/js/tests/js1_6/extensions/regress-475144.js,v <-- regress-475144.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 12•16 years ago
|
||
verified 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•