Closed
Bug 517637
Opened 15 years ago
Closed 15 years ago
TM: "Assertion failure: sprop->methodValue() == prev"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file, 1 obsolete file)
|
2.16 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
js> for (var j = 0; j < 7; ++j) uneval({x: function () {}})
Assertion failure: sprop->methodValue() == prev, at ../jsscope.cpp:1583
js> for (var j = 0; j < 7; ++j) ({x: function () {}}).x
Assertion failure: sprop->methodValue() == *vp, at ../jsscope.h:676
Doesn't crash opt. Requires -j. TM rev 32d61518f755+.
|
||
Comment 1•15 years ago
|
||
I get this on jsfunfuzz too. autoBisect shows this is probably related to bug 471214: The first bad revision is: changeset: 32130:842e6c09e35a user: Brendan Eich date: Thu Sep 03 14:41:19 2009 -0700 summary: Join lambdas assigned or initialized as methods to the compiler-created function object if we can, with a read barrier to clone on method value extractions other than call expressions (471214, r=jorendorff).
|
Assignee | |
Comment 2•15 years ago
|
||
Urgh, the patch for bug 471214 was not complete. Glad Gary's fuzzing found this. Wonder how rare it is on the web. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•15 years ago
|
Attachment #401911 -
Flags: review?(jorendorff)
|
||
Comment 3•15 years ago
|
||
Comment on attachment 401911 [details] [diff] [review] fix Yep, I don't know how I managed to overlook this. The patch is missing trace-tests. r=me with that fixed.
Attachment #401911 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 4•15 years ago
|
||
Wasn't caffeinated enough earlier, trace-tests ftw. Thanks, /be
Attachment #401911 -
Attachment is obsolete: true
Attachment #401954 -
Flags: review?(jorendorff)
|
|
||
Updated•15 years ago
|
Attachment #401954 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 5•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/27a40bf30ef3 /be
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.2
|
|
Assignee | |
Comment 7•15 years ago
|
||
This patch needs to get onto m-c and 1.9.2 ASAP. The other regressions blocking bug 471214 could be dups of this one. /be
|
|
Assignee | |
Comment 8•15 years ago
|
||
Er, I see this on m-c. Finding the hg shortlog entry for the landing... http://hg.mozilla.org/mozilla-central/rev/27a40bf30ef3 Still needed on 1.9.2 according to bug request flags. /be
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 9•15 years ago
|
||
Sorry, lame bug reading on my part. This is fixed on m-c, though, so should be resolved. The other regressions from bug 471214 must be distinct problems. Sayrer, can you confirm? /be
|
||
Comment 10•15 years ago
|
||
(In reply to comment #9) > Sorry, lame bug reading on my part. This is fixed on m-c, though, so should be > resolved. The other regressions from bug 471214 must be distinct problems. I didn't land 471214 on 1.9.2 because of its regressions. This bug is fixed on m-c. I must have missed it when I was setting things FIXED.
|
||
Comment 12•15 years ago
|
||
js/src/trace-test/tests/basic/testMethodInitDeref.js js/src/trace-test/tests/basic/testMethodInitUneval.js
Flags: in-testsuite+
|
||
Comment 14•15 years ago
|
||
Need a blocking decision here for mozilla-1.9.2.
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2-
|
|
Assignee | |
Comment 15•15 years ago
|
||
Bug 524826 fixed some obvious non-parallel logic in jstracer.cpp added here. /be
Depends on: 524826
You need to log in
before you can comment on or make changes to this bug.
Description
•