Closed
Bug 506347
Opened 15 years ago
Closed 15 years ago
Assertion failure: OBJ_SCOPE(pobj)->object == pobj, at ../jsinterp.cpp
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
660 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
let(x)((function () {
for (y in [x, x]) with({});
})())
asserts dbg js shell on TM branch without -j at Assertion failure: OBJ_SCOPE(pobj)->object == pobj, at ../jsinterp.cpp:444
autoBisect shows this is probably related to bug 503080 :
The first bad revision is:
changeset: 30378:3915e2d2c748
user: Jason Orendorff
date: Tue Jul 21 16:25:11 2009 -0500
summary: Bug 503080 - Remove prototype-scope-sharing. r=brendan.
Flags: blocking1.9.2?
|
||
Updated•15 years ago
|
Assignee: general → jorendorff
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
|
Assignee | |
Comment 1•15 years ago
|
||
The assertion needs to be weakened.
In this case `pobj` is a Block object, so it does actually share a scope. Before this patch, I guess the property was actually found on the Block's prototype. Now it is found on the Block itself.
I think it would be nice if we could make Block-clones proto-less, but JSOP_LEAVEEXPR uses the proto:
if (OBJ_GET_PROTO(cx, obj) == fp->blockChain) {
...js_PutBlockObject...
}
Attachment #390928 -
Flags: review?(brendan)
|
||
Updated•15 years ago
|
Attachment #390928 -
Flags: review?(brendan) → review+
|
|
||
Comment 2•15 years ago
|
||
Comment on attachment 390928 [details] [diff] [review]
v1
Generally we don't compare == or != NULL (exception: when left operand is nested assignment expression in loop condition).
Better yet, use JS_ASSERT_IF(OBJ_SCOPE(pobj)->object, OBJ_SCOPE(pobj)->object == pobj);
r=me with that.
/be
|
||
Comment 3•15 years ago
|
||
i had a js crash while running browser-chrome tests on Windows, applying this patch solved them.
Here is the stack trace
http://mozilla.pastebin.com/m1113c556
|
|
||
Comment 4•15 years ago
|
||
ps: the crash was persistent, i was able to reproduce it at every run, same point.
|
|
Assignee | |
Comment 5•15 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 6•15 years ago
|
||
|
|
||
Comment 7•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Comment 8•15 years ago
|
||
Mass change: adding fixed1.9.2 keyword
(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
|
||
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
You need to log in
before you can comment on or make changes to this bug.
Description
•