Closed
Bug 510655
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: argsobj->getPrivate() == fp, at ../jsfun.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.29 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
(function () {
for (b in [0, 0]) {
(eval("\
[this\
for (b in [\
[undefined],\
arguments,\
[undefined]\
])\
]\
"))
}
})()
asserts js dbg shell with -j on TM branch at Assertion failure: argsobj->getPrivate() == fp, at ../jsfun.cpp:298
Flags: blocking1.9.2?
|
Reporter | |
Comment 1•16 years ago
|
||
autoBisect shows this is probably related to bug 495061 :
The first bad revision is:
changeset: 31470:8702299aa4dc
user: Igor Bukanov
date: Fri Aug 14 20:43:16 2009 +0200
summary: bug 495061 - js_PutArgsObject and js_PutCallObject that never fail. r=brendan
Blocks: 495061
|
Assignee | |
Comment 2•16 years ago
|
||
I'm guessing the assert uncovered a bug in tracing |arguments|.
Assignee: general → dmandelin
|
|
Assignee | |
Comment 3•16 years ago
|
||
The problem is this:
When leaving a trace, if any synthesized frame has an argsobj, we set argsobj->private() to that frame. (On trace, we can't set the frame, because it doesn't exist. So we do it on exit.) But this is invalid for frames that are created by js_Execute: they can have a copy of fp->down->argsobj, in which case they already have a private pointer, which we shouldn't mess with.
Attachment #394912 -
Flags: review?(igor)
|
||
Comment 4•16 years ago
|
||
Comment on attachment 394912 [details] [diff] [review]
Patch
>diff -r ad2312d97029 js/src/jstracer.cpp
>--- a/js/src/jstracer.cpp Mon Aug 17 12:05:54 2009 -0700
>+++ b/js/src/jstracer.cpp Mon Aug 17 14:38:15 2009 -0700
>@@ -2525,8 +2525,12 @@
> for (; n != 0; fp = fp->down) {
> --n;
> if (fp->callee) {
>- if (fp->argsobj)
>+ // If |fp->argsobj == fp->down->argsobj|, then fp is a frame created
>+ // by js_Execute and the args object does not belong to fp.
>+ if (fp->argsobj &&
>+ (!fp->down || fp->argsobj != fp->down->argsobj)) {
> JS_SetPrivate(cx, JSVAL_TO_OBJECT(fp->argsobj), fp);
Pre-existing nit - use JSVAL_TO_OBJECT(fp->argsobj)->setPrivate(fp); here. I should have done that in bug 493457.
Attachment #394912 -
Flags: review?(igor) → review+
|
|
Assignee | |
Comment 5•16 years ago
|
||
Pushed to TM with nit fixed as 19728bf133dd. (Somehow I knew about getPrivate() but not setPrivate(). Well, now I do, anyway. :-) )
Whiteboard: fixed-in-tracemonkey
|
||
Comment 6•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 7•16 years ago
|
||
Blocking, P1. Dmandelin says it's scary, too.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
|
|
||
Comment 8•16 years ago
|
||
status1.9.2:
--- → beta1-fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•