Closed
Bug 597875
Opened 14 years ago
Closed 14 years ago
"Assertion failure: !shape->inDictionary(), ..." [@js::Shape::newDictionaryList]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 592217
People
(Reporter: bjacob, Unassigned)
References
()
Details
Hi,
I get this crash at this URL which is a WebGL demo:
http://webglsamples.googlecode.com/hg/aquarium/aquarium.html
The console says:
Assertion failure: !shape->inDictionary(), at /home/bjacob/mozilla-central/js/src/jsscope.cpp:559
Program dist/bin/firefox-bin (pid = 30518) received signal 6.
Stack trace:
#0 0x000000385bea6a6d in nanosleep () from /lib64/libc.so.6
#1 0x000000385bea68e0 in sleep () from /lib64/libc.so.6
#2 0x00007f7111567b8c in ah_crap_handler (signum=6)
at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132
#3 0x00007f711156c3aa in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fff4d64d9b0, context=
0x7fff4d64d880) at nsProfileLock.cpp:221
#4 <signal handler called>
#5 0x000000385ca0f30b in raise () from /lib64/libpthread.so.0
#6 0x00007f7112eb9848 in JS_Assert (s=0x7f71136ab08c "!shape->inDictionary()", file=
0x7f71136aadf0 "/home/bjacob/mozilla-central/js/src/jsscope.cpp", ln=559)
at /home/bjacob/mozilla-central/js/src/jsutil.cpp:83
#7 0x00007f7112e8906b in js::Shape::newDictionaryList (cx=0x33ce2e0, listp=0x7f70d821c7e0)
at /home/bjacob/mozilla-central/js/src/jsscope.cpp:559
#8 0x00007f7112e88cff in JSObject::getChildProperty (this=0x7f70d821c7e0, cx=0x33ce2e0, parent=0x496e6a0,
child=...) at /home/bjacob/mozilla-central/js/src/jsscope.cpp:494
#9 0x00007f7112e89d13 in JSObject::addPropertyCommon (this=0x7f70d821c7e0, cx=0x33ce2e0, id=..., getter=0,
setter=0, slot=4294967295, attrs=5, flags=0, shortid=0, spp=0x496e690)
at /home/bjacob/mozilla-central/js/src/jsscope.cpp:779
#10 0x00007f7112e89ff9 in JSObject::putProperty (this=0x7f70d821c7e0, cx=0x33ce2e0, id=..., getter=0, setter=0,
slot=4294967295, attrs=5, flags=0, shortid=0) at /home/bjacob/mozilla-central/js/src/jsscope.cpp:842
#11 0x00007f7112e1ea5e in js_DefineNativeProperty (cx=0x33ce2e0, obj=0x7f70d821c7e0, id=..., value=..., getter=
0x7f7112d72e57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, setter=
0x7f7112d72e57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, attrs=5, flags=0, shortid=0, propp=
0x0, defineHow=0) at /home/bjacob/mozilla-central/js/src/jsobj.cpp:4237
#12 0x00007f7112e1e4cb in js_DefineProperty (cx=0x33ce2e0, obj=0x7f70d821c7e0, id=..., value=0x7fff4d64e190,
getter=0x7f7112d72e57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, setter=
0x7f7112d72e57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, attrs=5)
at /home/bjacob/mozilla-central/js/src/jsobj.cpp:4103
#13 0x00007f7112d7f440 in JSObject::defineProperty (this=0x7f70d821c7e0, cx=0x33ce2e0, id=..., value=...,
getter=0x7f7112d72e57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, setter=
0x7f7112d72e57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, attrs=5)
at /home/bjacob/mozilla-central/js/src/jsobj.h:1037
#14 0x00007f7113028c85 in js::mjit::stubs::DefFun<0> (f=..., fun=0x7f71002d3130)
at /home/bjacob/mozilla-central/js/src/methodjit/StubCalls.cpp:961
#15 0x00007f71000a1ffd in ?? ()
#16 0x00007f7100461000 in ?? ()
#17 0x0000000000000000 in ?? ()
|
Reporter | |
Updated•14 years ago
|
Summary: Crash (methodjit) (failed assertion) [@js::Shape::newDictionaryList] → Crash (failed assertion) [@js::Shape::newDictionaryList]
|
|
Reporter | |
Comment 1•14 years ago
|
||
The above was with the methodjit. But with methodjit disabled, I get the same crash with almost the same stack trace, only this time it comes from js::Invoke instead of stubs:
#0 0x000000385bea6a6d in nanosleep () from /lib64/libc.so.6
#1 0x000000385bea68e0 in sleep () from /lib64/libc.so.6
#2 0x00007fd90a8c3b8c in ah_crap_handler (signum=6)
at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132
#3 0x00007fd90a8c83aa in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fff8732b870, context=
0x7fff8732b740) at nsProfileLock.cpp:221
#4 <signal handler called>
#5 0x000000385ca0f30b in raise () from /lib64/libpthread.so.0
#6 0x00007fd90c215848 in JS_Assert (s=0x7fd90ca0708c "!shape->inDictionary()", file=
0x7fd90ca06df0 "/home/bjacob/mozilla-central/js/src/jsscope.cpp", ln=559)
at /home/bjacob/mozilla-central/js/src/jsutil.cpp:83
#7 0x00007fd90c1e506b in js::Shape::newDictionaryList (cx=0x2969080, listp=0x7fd8dc559cb0)
at /home/bjacob/mozilla-central/js/src/jsscope.cpp:559
#8 0x00007fd90c1e4cff in JSObject::getChildProperty (this=0x7fd8dc559cb0, cx=0x2969080, parent=0x3d6d540,
child=...) at /home/bjacob/mozilla-central/js/src/jsscope.cpp:494
#9 0x00007fd90c1e5d13 in JSObject::addPropertyCommon (this=0x7fd8dc559cb0, cx=0x2969080, id=..., getter=0,
setter=0, slot=4294967295, attrs=5, flags=0, shortid=0, spp=0x3d6d530)
at /home/bjacob/mozilla-central/js/src/jsscope.cpp:779
#10 0x00007fd90c1e5ff9 in JSObject::putProperty (this=0x7fd8dc559cb0, cx=0x2969080, id=..., getter=0, setter=0,
slot=4294967295, attrs=5, flags=0, shortid=0) at /home/bjacob/mozilla-central/js/src/jsscope.cpp:842
#11 0x00007fd90c17aa5e in js_DefineNativeProperty (cx=0x2969080, obj=0x7fd8dc559cb0, id=..., value=..., getter=
0x7fd90c0cee57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, setter=
0x7fd90c0cee57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, attrs=5, flags=0, shortid=0, propp=
0x0, defineHow=0) at /home/bjacob/mozilla-central/js/src/jsobj.cpp:4237
#12 0x00007fd90c17a4cb in js_DefineProperty (cx=0x2969080, obj=0x7fd8dc559cb0, id=..., value=0x7fff8732c400,
getter=0x7fd90c0cee57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, setter=
0x7fd90c0cee57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, attrs=5)
at /home/bjacob/mozilla-central/js/src/jsobj.cpp:4103
#13 0x00007fd90c0db440 in JSObject::defineProperty (this=0x7fd8dc559cb0, cx=0x2969080, id=..., value=...,
getter=0x7fd90c0cee57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, setter=
0x7fd90c0cee57 <JS_PropertyStub(JSContext*, JSObject*, jsid, jsval*)>, attrs=5)
at /home/bjacob/mozilla-central/js/src/jsobj.h:1037
#14 0x00007fd90c36a56f in js::Interpret (cx=0x2969080, entryFrame=0x7fd900536188, inlineCallCount=1,
interpFlags=0) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:5260
#15 0x00007fd90c157894 in js::RunScript (cx=0x2969080, script=0x4463940, fun=0x7fd8dc8f8e40, scopeChain=...)
at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:484
#16 0x00007fd90c157fad in js::Invoke (cx=0x2969080, argsRef=..., flags=8192)
at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:592
|
||
Updated•14 years ago
|
Severity: normal → critical
|
||
Comment 2•14 years ago
|
||
Please put the assertion text in the bug summary. /be
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Summary: Crash (failed assertion) [@js::Shape::newDictionaryList] → "Assertion failure: !shape->inDictionary(), ..." [@js::Shape::newDictionaryList]
You need to log in
before you can comment on or make changes to this bug.
Description
•