Closed Bug 561279 Opened 15 years ago Closed 15 years ago

TM: "Assertion failure: obj->getPrivate() == fp, at ../jstracer.cpp" or "Assertion failure: obj->getPrivate() == js_FloatingFrameIfGenerator(cx, fp), at ../jstracer.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta2+
blocking1.9.2 --- -
status1.9.2 --- wanted
blocking1.9.1 --- -
status1.9.1 --- wanted

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Proposed fix
1.41 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
for (let y in eval("\ for (z = 0; z < 6; z++) {\ a = z\ }\ "))(y) asserts js debug shell on TM tip with -j at Assertion failure: obj->getPrivate() == fp, at ../jstracer.cpp:13732 Found via the compareJIT part of jsfunfuzz.
autoBisect shows this is probably related to bug 469237: The first bad revision is: changeset: 27482:ca40d9bb0954 user: jimb date: Tue Apr 21 22:42:43 2009 -0700 summary: Bug 469237: Only trace where BINDNAME will choose the global object.
Blocks: 469237
This affects 1.9.1, 1.9.2 and TM tip js shells. Nominating to get it on the radar.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Assignee: general → jorendorff
Wanted, not blocking if it's only in a debug shell.
blocking1.9.1: ? → -
blocking1.9.2: ? → -
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Attached patch Proposed fixSplinter Review
As far as I can tell, this is a bug in the assertion: it assumes that there can only be one frame for a toplevel script. But eval and debugger frames defeat this assumption. The values are still on the stack, so this just widens the assertion.
Assignee: jorendorff → mrbkap
Status: NEW → ASSIGNED
Attachment #444198 - Flags: review?(jorendorff)
Comment on attachment 444198 [details] [diff] [review] Proposed fix That needs to be a while loop instead of an if, because... { let y; eval('eval("for (z = 0; z < 6; z++) a = z;")'); } And this needs tests. r+ with those changes.
Attachment #444198 - Flags: review?(jorendorff) → review+
This has now morphed into the following assertion: Assertion failure: obj->getPrivate() == js_FloatingFrameIfGenerator(cx, fp), at ../jstracer.cpp:13885
Summary: TM: "Assertion failure: obj->getPrivate() == fp, at ../jstracer.cpp" → TM: "Assertion failure: obj->getPrivate() == fp, at ../jstracer.cpp" or "Assertion failure: obj->getPrivate() == js_FloatingFrameIfGenerator(cx, fp), at ../jstracer.cpp"
blocking2.0: ? → beta1+
Doesn't block beta 1.
blocking2.0: beta1+ → beta2+
http://hg.mozilla.org/mozilla-central/rev/769cce825017
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: