Closed
Bug 605015
Opened 14 years ago
Closed 14 years ago
"Assertion failure: (this)->containsSlot(slot),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.55 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
print(this.watch("x",
function() {
Object.defineProperty(this, "x", ({
get: (Int8Array)
}))
}))(x = /x/)
asserts js debug shell on TM changeset 47a8311cf0bb without -m or -j at Assertion failure: (this)->containsSlot(slot),
|
Reporter | |
Comment 1•14 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 54300:7ef107ab081e user: Brendan Eich date: Thu Sep 16 11:56:54 2010 -0700 summary: Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff).
Blocks: 596805
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
|
||
Comment 2•14 years ago
|
||
Stack trace for the assertion:
#0 0xf7fdf430 in __kernel_vsyscall ()
#1 0xf7fb2610 in raise (sig=6)
at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2 0x081bd385 in JS_Assert (s=0x831d5b0 "containsSlot(slot)",
file=0x831d57b "../jsobj.h", ln=636) at ../jsutil.cpp:83
#3 0x08077499 in JSObject::nativeGetSlot (this=0xf7502028, slot=4294967295)
at ../jsobj.h:636
#4 0x0812c9c6 in JSObject::methodWriteBarrier (this=0xf7502028,
cx=0x8415cc8, shape=..., v=...) at ../jsobjinlines.h:193
#5 0x08124f0e in js_NativeSet (cx=0x8415cc8, obj=0xf7502028,
shape=0x84231e0, added=false, vp=0xffffc5a8) at ../jsobj.cpp:4962
#6 0x08126859 in js_SetPropertyHelper (cx=0x8415cc8, obj=0xf7502028, id=...,
defineHow=1, vp=0xffffc5a8, strict=0) at ../jsobj.cpp:5436
#7 0x082f233f in js::Interpret (cx=0x8415cc8, entryFrame=0xf77ab030,
inlineCallCount=0, interpMode=JSINTERP_NORMAL) at ../jsinterp.cpp:4445
#8 0x08100618 in js::RunScript (cx=0x8415cc8, script=0x842a300,
fp=0xf77ab030) at ../jsinterp.cpp:657
#9 0x081017b9 in js::Execute (cx=0x8415cc8, chain=0xf7502028,
script=0x842a300, prev=0x0, flags=0, result=0x0) at ../jsinterp.cpp:1005
#10 0x08073c02 in JS_ExecuteScript (cx=0x8415cc8, obj=0xf7502028,
script=0x842a300, rval=0x0) at ../jsapi.cpp:4837
#11 0x0804c4ee in Process (cx=0x8415cc8, obj=0xf7502028,
filename=0xffffd2c5 "a.js", forceTTY=0) at ../../shell/js.cpp:453
#12 0x0804d4d5 in ProcessArgs (cx=0x8415cc8, obj=0xf7502028, argv=0xffffd0c8,
argc=1) at ../../shell/js.cpp:952
#13 0x08056a61 in Shell (cx=0x8415cc8, argc=1, argv=0xffffd0c8,
envp=0xffffd0d0) at ../../shell/js.cpp:5370
#14 0x08056c3c in main (argc=1, argv=0xffffd0c8, envp=0xffffd0d0)
at ../../shell/js.cpp:5478
containsSlot() fails because 'slot' is equal to 0xffffffff, ie.
SHAPE_INVALID_SLOT.
|
Assignee | |
Updated•14 years ago
|
Assignee: general → dmandelin
|
|
Assignee | |
Comment 3•14 years ago
|
||
|
|
Assignee | |
Updated•14 years ago
|
Attachment #493887 -
Flags: review?(dvander)
|
|
||
Updated•14 years ago
|
Attachment #493887 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/a77a648a6f4c
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/a77a648a6f4c
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 6•14 years ago
|
||
Tardy nit: we usually use if (A && B) instead of if (A) if (B). No big deal, and I have a patch to use if (brandedOrHasMethodBarrier()) instead of the open-coded flag test equiv. that I'll get in for bug 597864. /be
|
||
Comment 7•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug605015.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•