Closed Bug 504078 Opened 15 years ago Closed 15 years ago

iterating over "window" causes subsequent iteration over another object to fail with bizarre javascript error


(Core :: JavaScript Engine, defect, P2)




Tracking Status
status1.9.2 --- beta5-fixed
blocking1.9.1 --- -
status1.9.1 --- ?


(Reporter: iko, Assigned: Waldo)



(Keywords: intermittent-failure, regression, Whiteboard: [fixed-in-tracemonkey])


(3 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/2009042807 Iceweasel/3.0.9 (Debian-3.0.9-1)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

Using a function to first iterate over a generic object, then iterate over the window object, and then again trying to iterate over a generic object (the same or another) results in the javascript code failing with "var prop is not a function" (where "var prop" is the LHS of the "in" operator)

Reproducible: Always

Steps to Reproduce:
load attached "length.html"
Actual Results:  
observe that the alert never appears. When run in a debugger (i.e. firebug) it will die in the keys() function on the third call with the error "var prop is not a function"

Expected Results:  
alert should appear
data2 should be iterated over
Version: unspecified → 3.5 Branch
I was able to reproduce this on Windows Vista.
Regression range:
Assignee: nobody → general
Component: General → JavaScript Engine
Ever confirmed: true
Keywords: regression
OS: Linux → All
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Version: 3.5 Branch → Trunk
Flags: blocking1.9.2?
The reporter reported this on branch, and all the JS check ins in the range are also checked in on branch.
blocking1.9.1: --- → ?
Rob, Andreas, Brendan: can you take a look and renominate if you think we need to fix this in a dot-release?
blocking1.9.1: ? → -
Flags: blocking1.9.2?
Flags: blocking1.9.2+
Priority: -- → P1
Assignee: general → jwalden+bmo
waldo, could you take a look at this?
status1.9.1: --- → ?
This is marked as blocking Firefox 3.6a1, any ETA? Should it not block that milestone?
Haven't looked at this yet, guessing it will be pretty simple to diagnose and fix -- maybe end of next week, what with everything on my plate currently?  This is kind of a wild guess, to be honest, having not spent time investigating yet.
Thanks for the ETA; Sayrer, does this really need to block the alpha/branch? Needed for mobile?
regression changeset: 29380:1c0654b97fe1 user: Graydon Hoare <> date: Thu Jun 18 14:47:57 2009 -0700 summary: Bug 497060 - Disable JIT on non-global initial scope chain, r=brendan.
Blocks: 497060
Downgrading for the moment, this is in 3.5 already and not something that necessarily has to block 3.6a1 -- should be safe to punt further, fix seems unlikely to be complex and dangerous enough to warrant fixing *right now* and no later...
Priority: P1 → P2
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-504078.js,v  <--  regress-504078.js
initial revision: 1.1
Flags: in-testsuite+
Hum, so we somehow exit back to the interpreter with an Iterator object on which we're going to try and call next(), but the Iterator has no "next" property, nothing on its prototype chain does, of course, and that gets us back undefined which can't be called as a function.  Weird.
We shouldn't be in the custom_iter_next imacro here, we should be in the native_iter_next imacro.  Something's making unwarranted assumptions here about iterator type or somesuch; more after lunch.
(We do record through nextiter for the first object as a native case, then through nextiter for window as a custom case [presumably due to a branch exit from the first trace], then through nextiter for the third object as a native case, tho.)
Attachment #410703 - Flags: review?(jorendorff)
Comment on attachment 410703 [details] [diff] [review]
The old new mistake

D'oh -- my bad, sorry.

Attachment #410703 - Flags: review?(jorendorff) → review+
Whiteboard: fixed-in-tracemonkey
js1_5/Regress/regress-504078.js appears to randomly pass on mc/windows.
Whiteboard: fixed-in-tracemonkey → [orange][fixed-in-tracemonkey]
Closed: 15 years ago
Resolution: --- → FIXED
These bugs landed after b4 was cut. Moving flag out.
Blocks: 438871
Whiteboard: [orange][fixed-in-tracemonkey] → [fixed-in-tracemonkey]
You need to log in before you can comment on or make changes to this bug.