Assertion failure: original == thisv || original == OBJECT_TO_JSVAL(obj), at /Users/smaug/mozilla/hg/mozilla/js/src/jstracer.cpp:6761


Reporter: smaug, Assigned: gal


The assertion happens using up-to-date trunk debug build.
Go to and click the current top news (currently something about Obama)

0   libmozjs.dylib                	0x003420b0 JS_Assert + 64 (jsutil.cpp:69)
1   libmozjs.dylib                	0x00382c96 TraceRecorder::getThis(nanojit::LIns*&) + 1302 (jstracer.cpp:6761)
2   libmozjs.dylib                	0x003909bc TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) + 8092 (jstracer.cpp:9203)
3   libmozjs.dylib                	0x00296a8f js_Interpret + 41327 (jsinterp.cpp:3039)
4   libmozjs.dylib                	0x002b95db js_Invoke + 1659 (jsinterp.cpp:1394)
5   libmozjs.dylib                	0x002ba01f js_InternalInvoke + 159 (jsinterp.cpp:1448)
6   libmozjs.dylib                	0x0022b583 JS_CallFunctionValue + 147 (jsapi.cpp:5197)
7   libgklayout.dylib             	0x12717151 nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 545 (nsJSEnvironment.cpp:2037)
8   libgklayout.dylib             	0x127369e3 nsGlobalWindow::RunTimeout(nsTimeout*) + 1859 (nsCOMPtr.h:777)
9   libgklayout.dylib             	0x1273782e nsGlobalWindow::TimerCallback(nsITimer*, void*) + 46 (nsGlobalWindow.cpp:8128)
10  libxpcom_core.dylib           	0x004d9dcf nsTimerImpl::Fire() + 1007 (nsTimerImpl.cpp:427)
11  libxpcom_core.dylib           	0x004da0f4 nsTimerEvent::Run() + 100 (nsAutoPtr.h:956)
12  libxpcom_core.dylib           	0x004d11fe nsThread::ProcessNextEvent(int, int*) + 526 (nsThread.cpp:511)
13  libxpcom_core.dylib           	0x00454827 NS_ProcessPendingEvents_P(nsIThread*, unsigned int) + 71
14  libwidget_mac.dylib           	0x1454ed12 nsBaseAppShell::NativeEventCallback() + 98 (nsBaseAppShell.cpp:122)
15  libwidget_mac.dylib           	0x1450adea nsAppShell::ProcessGeckoEvents(void*) + 634 (
The assertion was added in bug 495699
Happens on branch, and is not due to tracing lambda_fc
Attached patch Fix?
Like 'null', Call objects are implicitly turned into the global object. I'm a little surprised that we hit this on the 1.9.1 branch, though. I thought activeCallOrGlobalSlot would have saved us there...
Need a testcase.
I'm not smart enough to write a testcase for this bug. I'll attach what I have, though.
Keywords: testcase-wanted
Attached file not a testcase
The problem is that by the time we get into TraceRecorder::getThis, we've already computed 'this' once and have the wrapper -- I don't understand how the bbc gets around it.

A better way to make a testcase might be to minimize
Mrbkap helped with the patch and approved of it. He didn't stamp accidentally.
Pushed to TM.
Attached file "testcase"
Attached file "testcase" with correct link to js
Thanks bz.
Attached file Minimal-ish HTML
more generic fix, needs a testcase

I realized that in order to match ComputeThis in jsinterp.cpp, we need to check for Blocks too.
I'm running Lithium to reduce the JS that bz attached.
Attached file js, down from 7000 lines to 1685 lines
Lithium is still running, but here's what it has so far.
Made a few sneaky changes to speed up Lithium, let's see how much they help.
Attached file js shell testcase (64 lines)
Still reducing, but I figured I'd attach something small that retained at least some of the flavor of the original.
verified FIXED on debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090629 Minefield/3.6a1pre ID:20090629082126


Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090629 Shiretoko/3.5pre ID:20090629082025
Automatically extracted testcase for this bug was committed:
