Closed Bug 589115 Opened 14 years ago Closed 14 years ago

JM: Crash [@ js::mjit::stubs::SetName] or "Assertion failure: entry->vword.isSprop(),"

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

for each(y in ['', 0, '']) {
  y.lastIndexOf--
}

crashes js opt shell on JM changeset 8a0513a5c024 with -m but without -j at js::mjit::stubs::SetName and asserts js debug shell at Assertion failure: entry->vword.isSprop(), at ../methodjit/StubCalls.cpp:150

(gdb) bt
#0  0x00168fc4 in JS_Assert (s=0x29ae5f "entry->vword.isSprop()", file=0x294bd4 "../methodjit/StubCalls.cpp", ln=150) at ../jsutil.cpp:80
#1  0x00209b0a in js::mjit::stubs::SetName (f=@0xbffff450, origAtom=0x1404840) at ../methodjit/StubCalls.cpp:150
#2  0x005c93e1 in ?? ()
#3  0x001fd3bd in js::mjit::JaegerShot (cx=0x60a5a0) at ../methodjit/MethodJIT.cpp:664
#4  0x000bca34 in js::RunScript (cx=0x60a5a0, script=0x60be30, fun=0x0, scopeChain=0x1402000) at jsinterp.cpp:465
#5  0x000be3c3 in js::Execute (cx=0x60a5a0, chain=0x1402000, script=0x60be30, down=0x0, flags=0, result=0x0) at jsinterp.cpp:944
#6  0x0001719a in JS_ExecuteScript (cx=0x60a5a0, obj=0x1402000, script=0x60be30, rval=0x0) at ../jsapi.cpp:4744
#7  0x0000c6c6 in Process (cx=0x60a5a0, obj=0x1402000, filename=0xbffff97b "vwordAssertSetNameOptCrash.js", forceTTY=0) at ../../shell/js.cpp:442
#8  0x0000d43b in ProcessArgs (cx=0x60a5a0, obj=0x1402000, argv=0xbffff868, argc=2) at ../../shell/js.cpp:862
#9  0x0000d554 in shell (cx=0x60a5a0, argc=2, argv=0xbffff868, envp=0xbffff874) at ../../shell/js.cpp:5151
#10 0x0000d678 in main (argc=2, argv=0xbffff868, envp=0xbffff874) at ../../shell/js.cpp:5247
Attached patch fixSplinter Review
Don't use propcache on PROPINC and friends.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #468080 - Flags: review?(dmandelin)
Comment on attachment 468080 [details] [diff] [review]
fix

Ordinarily, I would much prefer the branch to be controlled by an input parameter instead of bytecode inspection. But, in this particular case, bytecode inspection actually seems more reliable, because the bytecodes that can't use the cache can't forget to disable it. Someday, we will make propdec and such easier to use.
Attachment #468080 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/projects/jaegermonkey/rev/e42b505b43f3
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::stubs::SetName]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug589115.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: