Closed Bug 490191 Opened 17 years ago Closed 17 years ago

"Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp" with defineGetter, eval

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: gkw, Assigned: brendan)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

spot-fix for now
1.10 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
function f(param) { var w; return eval("\ (function(){\ __defineGetter__(\"y\", function()({\ x: function(){ return w }()\ }))\ });\ "); } (f())(); (new Function("eval(\"y\")"))(); asserts dbg js shell without -j at Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp:2044 autoBisect shows this is possibly related to bug 488034 : The first bad revision is: changeset: 27186:70111870bcf8 user: Brendan Eich date: Mon Apr 13 14:16:15 2009 -0700 summary: Bug 488034 - Crash [@ js_GetUpvar] or "Assertion failure: (script)->upvarsOffset != 0, at ../jsinterp.cpp" (r=mrbkap).
Flags: blocking1.9.1?
Summary: "Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp" → "Assertion failure: slot < fp->script->nslots, at ../jsinterp.cpp" with defineGetter, eval
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1
Flags: blocking1.9.1? → blocking1.9.1+
Same underlying cause as bug 491806, fixed by that bug's patch. Dup'ing forward, setting in-testsuite? to get this bug's fuzzer-generated test captured under js/tests. Rob, please make bug 491806 block. Thanks. Bob, if making bug 491806 block this bug is better please feel free to reopen and set the dependency. I'm happy to be schooled, but at this point it's clear this bug and bug 491806 are due to the same flaw in comprehension expression blockid adjustment, described in bug 491806 comment 1. Thanks for any tips. /be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → DUPLICATE
Yikes, comment 1 was meant for bug 490568. Sorry about the mess! /be
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Status: REOPENED → ASSIGNED
Attached patch spot-fix for nowSplinter Review
Ideally we would recognize upvars that cross eval to its function caller in the parser, along with gvars. But that is hard and this is easy, and it looks to be sufficient. Blake, your upvar analysis thinking-cap is required. /be
Attachment #376505 - Flags: review?(mrbkap)
Attachment #376505 - Flags: review?(mrbkap) → review+
Fixed in tm: http://hg.mozilla.org/tracemonkey/rev/ef5eab9a08ec /be
Whiteboard: fixed-in-tracemonkey
Fixed in m-c: http://hg.mozilla.org/mozilla-central/rev/664431e6d306 /be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
This checkin is in a range suspected to have caused a TXul regression on OSX: Regression: Txul increase from 312.789 to 326.947 (4.53%) on Sun May 10 16:20:00 2009. Mac105 1.9.2 build 20090510132032 http://graphs.mozilla.org/#show=794371,794398,794384&sel=1241813896,1242159496 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6ea54bfd7c28&tochange=a6068cf686fe
Depends on: 492355
Filed bug 492355 to track that regression.
No longer depends on: 492355
Verified fixed with testcase in comment 0 with the following debug builds: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090522 Minefield/3.6a1pre ID:20090522133810 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090522 Shiretoko/3.5pre ID:20090522153422
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Target Milestone: mozilla1.9.1 → mozilla1.9.2a1
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: