593580 - "Assertion failure: !p,"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

realEval = eval
f = eval("(function(){for(let x in[\
         __defineGetter__(\"\",function(){})\
         ,__defineGetter__(\"\
         functional\
         \",Math.pow)\
         ]){\
         (__defineSetter__(\"\",function(){}))\
         ()\
         }})")
try {
    f()
} catch (r) {
    delete this.eval
    delete this.Math
    eval = realEval
    e = this.toSource
}
f = eval("(function(){(__defineSetter__(\"\
         functional\
         \",(function(){return{t:function(){}}})))()})")
try {
    f()
} catch (r) {
    eval()
}


asserts js debug shell on TM changeset 60af58b42567 without -m nor -j at Assertion failure: !p, (pass the testcase in as a CLI argument to reproduce)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   52709:cb719643afc5
user:        Brendan Eich
date:        Wed Aug 18 11:34:13 2010 -0700
summary:     Bug 535629 - Deleted properties' slots are not recycled (r=gal).

Comment 2

[Luke Wagner [:luke]]

I'm able to repro on the original cset, but not on TM tip.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   53415:3feb012b18a3
user:        Brendan Eich
date:        Thu Sep 02 18:46:11 2010 -0700
summary:     Bugs in dictionary-mode property table maintenance (593256, r=jorendorff).

Comment 4

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929