Closed Bug 560998 Opened 10 years ago Closed 10 years ago

Assertion failure: entry->vword.toObject() == JSVAL_TO_OBJECT(v)

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: jorendorff)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

for (let j = 0; j < 4; ++j) {
  function g() { j; }
  g();
}

Assertion failure: entry->vword.toObject() == JSVAL_TO_OBJECT(v), at ../jsinterp.cpp:2184

Crashes when using just the interpreter, no -j or -m!
TM branch rev 5b05b75cd402.

I discovered this using a new technique (not jsfunfuzz).
autoBisect shows this is probably related to bug 471214:

The first bad revision is:
changeset:   32130:842e6c09e35a
user:        Brendan Eich
date:        Thu Sep 03 14:41:19 2009 -0700
summary:     Join lambdas assigned or initialized as methods to the compiler-created function object if we can, with a read barrier to clone on method value extractions other than call expressions (471214, r=jorendorff).
Blocks: 471214
Keywords: regression
fwiw, bug 471214 was not landed on 1.9.2 so this should not affect Firefox 3.6.x and before.
This bug along with bug 560101 are being hit somewhat frequently by jsfunfuzz, especially after jsfunfuzz was improved to hit this bug. :)
blocking2.0: --- → ?
The second time through the loop, the global is already branded, and JSOP_DEFFUN ends up in js_DefineNativeProperty to change the value of g, a function-valued global property.

This should change the global shape, but it doesn't.
Assignee: general → jorendorff
Attached patch v1Splinter Review
The fix is in the first hunk. The rest is tidying up and tests.
Attachment #442548 - Flags: review?(brendan)
Comment on attachment 442548 [details] [diff] [review]
v1

I had plans for toval; no worries, it can come back if needed.

/be
Attachment #442548 - Flags: review?(brendan) → review+
http://hg.mozilla.org/tracemonkey/rev/539d04cccb8b

I have to admit this "new technique" sounds ominous.
Whiteboard: fixed-in-tracemonkey
Yeah, don't tease, Jesse. We're all expecting a new, fully operational, space-squid-obvious, Death Star. IT'S A TRAP!!

/be
http://hg.mozilla.org/mozilla-central/rev/539d04cccb8b
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Depends on: 564344
blocking2.0: ? → betaN+
A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-560998-1.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.