Closed Bug 592217 Opened 14 years ago Closed 14 years ago

"Assertion failure: !shape->inDictionary(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla2.0
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: brendan)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

just a bogus assertion
1.84 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
(function ([b]) { default xml namespace = 7 })(0) asserts js debug shell on TM changeset e8ee411dca70 without -j at Assertion failure: !shape->inDictionary(), Program received signal SIGABRT, Aborted. 0xf7fdf430 in __kernel_vsyscall () (gdb) bt #0 0xf7fdf430 in __kernel_vsyscall () #1 0xf7fb7610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #2 0x0818a611 in JS_Assert (s=0x8290ad8 "!shape->inDictionary()", file=0x8290828 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsscope.cpp", ln=549) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsutil.cpp:83 #3 0x0815e1e5 in js::Shape::newDictionaryList (cx=0x833caa8, listp=0xf7502460) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsscope.cpp:549 #4 0x0815de4a in JSObject::getChildProperty (this=0xf7502460, cx=0x833caa8, parent=0x834bc0c, child=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsscope.cpp:481 #5 0x0815e8a2 in JSObject::addPropertyCommon (this=0xf7502460, cx=0x833caa8, id=..., getter=0, setter=0, slot=4294967295, attrs=4, flags=0, shortid=0, spp=0x834bc4c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsscope.cpp:688 #6 0x0815eaf7 in JSObject::putProperty (this=0xf7502460, cx=0x833caa8, id=..., getter=0, setter=0, slot=4294967295, attrs=4, flags=0, shortid=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsscope.cpp:749 #7 0x080fc523 in js_DefineNativeProperty (cx=0x833caa8, obj=0xf7502460, id=..., value=..., getter=0x806b3ad <JS_PropertyStub>, setter=0x806b3ad <JS_PropertyStub>, attrs=4, flags=0, shortid=0, propp=0x0, defineHow=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsobj.cpp:4190 #8 0x080fc02d in js_DefineProperty (cx=0x833caa8, obj=0xf7502460, id=..., value=0xffffc5c8, getter=0x806b3ad <JS_PropertyStub>, setter=0x806b3ad <JS_PropertyStub>, attrs=4) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsobj.cpp:4056 #9 0x080733b2 in JSObject::defineProperty (this=0xf7502460, cx=0x833caa8, id=..., value=..., getter=0x806b3ad <JS_PropertyStub>, setter=0x806b3ad <JS_PropertyStub>, attrs=4) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsobj.h:997 #10 0x081a8bf9 in js_SetDefaultXMLNamespace (cx=0x833caa8, v=...) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsxml.cpp:7269 #11 0x082599dc in js::Interpret (cx=0x833caa8) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsinterp.cpp:6257 #12 0x080de6d4 in js::Execute (cx=0x833caa8, chain=0xf7502000, script=0x834a538, down=0x0, flags=0, result=0xffffd210) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsinterp.cpp:881 #13 0x08070a6a in JS_ExecuteScript (cx=0x833caa8, obj=0xf7502000, script=0x834a538, rval=0xffffd210) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/jsapi.cpp:4744 #14 0x0804c45e in Process (cx=0x833caa8, obj=0xf7502000, filename=0x0, forceTTY=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/shell/js.cpp:534 #15 0x0804cfc5 in ProcessArgs (cx=0x833caa8, obj=0xf7502000, argv=0xffffd418, argc=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/shell/js.cpp:855 #16 0x080558cb in shell (cx=0x833caa8, argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/shell/js.cpp:5058 #17 0x080559e7 in main (argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-51612-e8ee411dca70/compilePath/shell/js.cpp:5145
blocking2.0: --- → ?
Probably related to bug 558451. Regression window: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=be9979b4c10b&tochange=f3e58c264932
Blocks: 558451
OS: Linux → All
Hardware: x86 → All
blocking2.0: ? → betaN+
Assignee: general → brendan
Target Milestone: --- → mozilla2.0
Attachment #476714 - Flags: review?(jorendorff)
Attachment #476714 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/tracemonkey/rev/ed934a5f7ef1 /be
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/ed934a5f7ef1 /be
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/tests/js1_8_5/regress/regress-592217.js.
Flags: in-testsuite+
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: