Closed Bug 607502 Opened 15 years ago Closed 15 years ago

JM: "Assertion failure: isShape()" with Object.freeze(this)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
8.76 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
./js -m function q() { ++i; } var i = 0; Object.freeze(this); q(); q(); Assertion failure: isShape(), at js/src/jspropertycache.h:112
It's trying to use some sort of genericized name-increment code that getgnames, does math, and setgnames, and the two ops naturally don't interact well with the single slot-looking property cache entry created by the interpreter for incops. I couldn't quite follow the code, and its bewildering variety of similar names, well enough to say any more with much confidence in my reading of it.
blocking2.0: --- → ?
blocking2.0: ? → betaN+
Attached patch fixSplinter Review
Smarter disabling of property cache usage, like for the other ICs.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #489599 - Flags: review?(dmandelin)
Attachment #489599 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/mozilla-central/rev/3d63107fc788
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: