Closed
Bug 531513
Opened 16 years ago
Closed 16 years ago
TM: "Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | final-fixed |
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 1 obsolete file)
|
3.56 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
|
3.98 KB,
patch
|
Details | Diff | Splinter Review |
try {
(eval("\
(function() {\
for (var y = 0; y < 4; y++) {\
w = y\
}\
})")
)()
} catch(e) {}
(function() {
for (v in (x = {})) {}
})();
(function() {
for (var z = 0; z < 8; z++) {
if (z == 5) {
x /= x
} else {
for each(w in [1]) {}
}
}
})()
asserts js debug shell on TM tip with -j at Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at ../jsapi.h:204
autoBisecting soon...
|
Reporter | |
Comment 1•16 years ago
|
||
Forgot to add, 64-bit shell on 10.6.2, haven't tried with 32-bit yet...
|
|
Reporter | |
Comment 2•16 years ago
|
||
This occurs both in 64-bit and 32-bit js shells in 10.6.2.
|
|
Reporter | |
Comment 3•16 years ago
|
||
autoBisect shows that this is probably related to bug 509093:
The first bad revision is:
changeset: 31583:7a1032f3aac0
user: David Anderson
date: Mon Aug 17 18:01:00 2009 -0700
summary: Improved joinEdgesToEntry functionality and cleanliness (bug 509093, r=sayrer,gal).
Blocks: 509093
|
|
Reporter | |
Comment 4•16 years ago
|
||
Nominating blocking1.9.2? because possibly-related bug 509093 has landed on 1.9.2 branch.
Flags: blocking1.9.2?
|
||
Updated•16 years ago
|
Assignee: general → dvander
Flags: blocking1.9.2? → blocking1.9.2+
|
|
Assignee | |
Comment 5•16 years ago
|
||
Ugh. When I did that cleanup, this was the one piece of functionality I changed. Turns out it's not safe as written. What happens:
1. Peer #1 is built, does not have global X. The tail is type-unstable.
2. Peer #2 is built, adds X as TT_OBJECT along the way. The tail is TT_DOUBLE.
If the edge of peer #1 is linked to peer #2, then peer #1 won't necessarily get correctly specialized. It really has to get TT_OBJECT from the entry of the peer #2, rather than the current global state.
Attachment #415143 -
Flags: review?(gal)
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 415143 [details] [diff] [review]
fix
This looks very similar to the SpecializeTreeToMissingGlobals function. Whats the difference?
|
|
Assignee | |
Comment 7•16 years ago
|
||
They are similar, so I've made one version wrap the more general one. This one is for trunk, I'll post a 1.9.2 patch once this gets reviewed.
Attachment #415143 -
Attachment is obsolete: true
Attachment #415478 -
Flags: review?(gal)
Attachment #415143 -
Flags: review?(gal)
|
|
||
Updated•16 years ago
|
Attachment #415478 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 8•16 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 9•16 years ago
|
||
|
|
||
Comment 10•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•16 years ago
|
||
status1.9.2:
--- → final-fixed
|
||
Comment 12•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•