558619 - TM: Crash [@ js_Enumerate] or "Assertion failure: JSVAL_IS_INT(v), at ../jsapi.h" with Iterator

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

eval("new Iterator")


(pass this as a CLI argument to assert/crash)

asserts js debug shell on TM tip without -j at Assertion failure: JSVAL_IS_INT(v), at ../jsapi.h:242 and crashes js opt shell without -j at js_Enumerate

Tested on 64-bit Linux. autoBisecting soon...

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Actually, this is enough:

new Iterator


(eval isn't needed)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to bug 557914:

The first bad revision is:
changeset:   40655:121debb9ff3d
user:        Andreas Gal
date:        Sat Apr 10 16:08:14 2010 -0700
summary:     Remove gcIteratorTable (557914, r=brendan).

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Due to simplicity, this affects jsfunfuzz quite a bit..

Comment 4

[Brendan Eich [:brendan]]

Attachment: fix

Why didn't this used to happen? Simple: we wouldn't js_RegisterCloseableIterator until InitNativeIterator, after js_ValueToNonNullObject(cx, argv[0]) succeeded. If the last failed, we'd never register.

Now with Andreas's patch, just creating a new Iterator instance makes an object of GC-finalize-kind FINALIZE_ITER, and we will inevitably CloseNativeIterator it.

/be

Comment 5

[Brendan Eich [:brendan]]

http://hg.mozilla.org/tracemonkey/rev/4932aaad4962

/be

Comment 6

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/4932aaad4962