Assertion failure: entry->vword.toObject() == JSVAL_TO_OBJECT(v)

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: jruderman, Assigned: jorendorff)

Tracking

({assertion, regression, testcase})

Trunk
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
for (let j = 0; j < 4; ++j) {
  function g() { j; }
  g();
}

Assertion failure: entry->vword.toObject() == JSVAL_TO_OBJECT(v), at ../jsinterp.cpp:2184

Crashes when using just the interpreter, no -j or -m!
TM branch rev 5b05b75cd402.

I discovered this using a new technique (not jsfunfuzz).
autoBisect shows this is probably related to bug 471214:

The first bad revision is:
changeset:   32130:842e6c09e35a
user:        Brendan Eich
date:        Thu Sep 03 14:41:19 2009 -0700
summary:     Join lambdas assigned or initialized as methods to the compiler-created function object if we can, with a read barrier to clone on method value extractions other than call expressions (471214, r=jorendorff).
Blocks: 471214
Keywords: regression
fwiw, bug 471214 was not landed on 1.9.2 so this should not affect Firefox 3.6.x and before.
This bug along with bug 560101 are being hit somewhat frequently by jsfunfuzz, especially after jsfunfuzz was improved to hit this bug. :)
blocking2.0: --- → ?
(Assignee)

Comment 4

9 years ago
The second time through the loop, the global is already branded, and JSOP_DEFFUN ends up in js_DefineNativeProperty to change the value of g, a function-valued global property.

This should change the global shape, but it doesn't.
(Assignee)

Updated

9 years ago
Assignee: general → jorendorff
(Assignee)

Comment 5

9 years ago
Created attachment 442548 [details] [diff] [review]
v1

The fix is in the first hunk. The rest is tidying up and tests.
Attachment #442548 - Flags: review?(brendan)
Comment on attachment 442548 [details] [diff] [review]
v1

I had plans for toval; no worries, it can come back if needed.

/be
Attachment #442548 - Flags: review?(brendan) → review+
(Assignee)

Comment 7

9 years ago
http://hg.mozilla.org/tracemonkey/rev/539d04cccb8b

I have to admit this "new technique" sounds ominous.
Whiteboard: fixed-in-tracemonkey
Yeah, don't tease, Jesse. We're all expecting a new, fully operational, space-squid-obvious, Death Star. IT'S A TRAP!!

/be

Comment 9

9 years ago
http://hg.mozilla.org/mozilla-central/rev/539d04cccb8b
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Reporter)

Updated

9 years ago
Blocks: 564338

Updated

9 years ago
Depends on: 564344
Depends on: 567152

Updated

8 years ago
blocking2.0: ? → betaN+
A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-560998-1.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.