Closed
Bug 563120
Opened 13 years ago
Closed 13 years ago
"Assertion failure: !cx->throwing" with E4X, toString
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: luke)
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.88 KB,
patch
|
Waldo
:
review+
brendan
:
review+
|
Details | Diff | Splinter Review |
Based on js/src/tests/e4x/GC/regress-313952-02.js
var x = new XML("x");
x.function::toString = function() { throw 3; }
var y = new XML("y");
y.function::toString = function() { throw 3; }
x == y;
Assertion failure: !cx->throwing, at ../jsops.cpp:3611
|
Reporter | |
Comment 1•13 years ago
|
||
This variant requires -j.
var x = new XML("text");
x.function::toString = function() {
throw 3;
}
var likeString = {
toString: function() { for (var i = 0; i != 4; ++i) {} }
};
x == likeString;
Assertion failure: r == MONITOR_ERROR, at ../jsops.cpp:871
|
Assignee | |
Comment 2•13 years ago
|
||
The problem is that js_TextXMLEquality calls js_ValueToString twice in a row, only checking for failure after the second call. The first call throws, and the second blindly starts interpreting. So, this seems to be an interpreter bug; the assertions added by bug 560798 are just the first witnesses.
|
||
Updated•13 years ago
|
Attachment #442883 -
Attachment is patch: true
Attachment #442883 -
Attachment mime type: application/octet-stream → text/plain
|
|
Assignee | |
Updated•13 years ago
|
Attachment #442883 -
Flags: review?(jwalden+bmo)
|
|
||
Comment 3•13 years ago
|
||
Comment on attachment 442883 [details] [diff] [review] patch Oh boy -- this goes back to 2004. /be
Attachment #442883 -
Flags: review+
|
||
Updated•13 years ago
|
Attachment #442883 -
Flags: review?(jwalden+bmo) → review+
|
|
||
Updated•13 years ago
|
Keywords: regression
|
|
Assignee | |
Comment 4•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/efab4df4fc6f
Assignee: general → lw
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 5•13 years ago
|
||
Missed an init. http://hg.mozilla.org/tracemonkey/rev/c6857d0b1e9f
|
||
Comment 7•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/efab4df4fc6f
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•