"Assertion failure: !cx->throwing" with E4X, toString

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
RESOLVED FIXED
Reported:
9 years ago
Modified:
9 years ago

People

(Reporter: jruderman, Assigned: luke)

Tracking

({assertion, regression, testcase})

Version:
Trunk
Platform:
x86
Mac OS X
Keywords:
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

patch
1.88 KB, patch
Waldo
: review+
brendan
: review+
Details | Diff | Splinter Review
(Reporter)

Description

9 years ago 
Based on js/src/tests/e4x/GC/regress-313952-02.js

var x = new XML("x");
x.function::toString = function() { throw 3; }
var y = new XML("y");
y.function::toString = function() { throw 3; }
x == y;

Assertion failure: !cx->throwing, at ../jsops.cpp:3611
(Reporter)

Comment 1

9 years ago 
This variant requires -j.

var x = new XML("text");
x.function::toString = function() {
  throw 3;
}
var likeString = {
  toString: function() { for (var i = 0; i != 4; ++i) {} }
};
x == likeString;

Assertion failure: r == MONITOR_ERROR, at ../jsops.cpp:871
(Assignee)

Comment 2

9 years ago 
Created attachment 442883 [details] [diff] [review]
patch

The problem is that js_TextXMLEquality calls js_ValueToString twice in a row, only checking for failure after the second call.  The first call throws, and the second blindly starts interpreting.  So, this seems to be an interpreter bug; the assertions added by bug 560798 are just the first witnesses.
Attachment #442883 - Attachment is patch: true
Attachment #442883 - Attachment mime type: application/octet-stream → text/plain
 (Assignee)

Updated

9 years ago
Attachment #442883 - Flags: review?(jwalden+bmo)

Comment 3

9 years ago 
Comment on attachment 442883 [details] [diff] [review]
patch

Oh boy -- this goes back to 2004.

/be
Attachment #442883 - Flags: review+

Updated

9 years ago
Attachment #442883 - Flags: review?(jwalden+bmo) → review+
Keywords: regression
 (Assignee)

Comment 4

9 years ago 
http://hg.mozilla.org/tracemonkey/rev/efab4df4fc6f
Assignee: general → lw
Whiteboard: fixed-in-tracemonkey
 (Assignee)

Comment 6

9 years ago 
Ignore comment 5, wrong bug.

Comment 7

9 years ago 
http://hg.mozilla.org/mozilla-central/rev/efab4df4fc6f
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
 (Reporter)

Updated

9 years ago
Blocks: 564338
You need to log in before you can comment on or make changes to this bug.