Closed Bug 610088 Opened 14 years ago Closed 13 years ago

"Assertion failure: script->main <= target && target < script->code + script->length" with evalcx, Object.seal(this), proxy

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: billm)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [softblocker][fixed-in-tracemonkey])

Attachments

(3 files, 1 obsolete file)

stack trace
8.88 KB, text/plain
Details
js shell testcase
217 bytes, text/javascript
Details
fix
799 bytes, patch
dmandelin
: review+
Details | Diff | Splinter Review
Attached file js shell testcase (obsolete) — 
Assertion failure: script->main <= target && target < script->code + script->length, at js/src/jsopcode.cpp:5524

The first bad revision is:
changeset:   7ef107ab081e
user:        Brendan Eich
date:        Thu Sep 16 11:56:54 2010 -0700
summary:     Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff).
Attached file stack trace 

    
    

    
  
Fixed by bug 600642.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   60012:9074de2454dc
user:        Andreas Gal
date:        Mon Jan 10 11:42:11 2011 -0800
summary:     Rename Proxy enumerateOwn to keys (bug 600642, r=jorendorff,brendan).
Status: NEW → RESOLVED
Closed: 13 years ago
OS: Linux → Windows CE
Resolution: --- → FIXED

    
    

    
  
No, that patch only renamed enumerateOwn to keys ;)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached file
          
        js shell testcase
      

    


  

    
  

        Attachment #488630 -
        Attachment is obsolete: true

    
  
OS: Windows CE → All
Hardware: x86_64 → All
blocking2.0: --- → ?
blocking2.0: ? → .x

    
    

    
  
Why .x?

    
    

    
  
(In reply to comment #5)
> Why .x?

The bug looks like an assertion failure in the decompiler for some obscure code. Seems lower priority than our existing softblockers.

    
    

    
  
Without some more detailed look I would be worried to just postpone this indefinitely, in particular with a public visible test case. softblocker instead? I wouldn't hold a release over this, but I would prioritize this over any non-FF4-blocker work.

    
    

    
  
(In reply to comment #7)
> Without some more detailed look I would be worried to just postpone this
> indefinitely, in particular with a public visible test case. softblocker
> instead? I wouldn't hold a release over this, but I would prioritize this over
> any non-FF4-blocker work.

Sure, I was on the border on this one.
blocking2.0: .x → betaN+
Whiteboard: softblocker

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
This was a quick fix. Here's what happened:
- We seal |this|
- Defining |y| in the last line causes an error
- To print the error message, we try to decompile the value of |x|
- When we try to enumerate the properties of |x|, we call its keys method, which is really Object.getPrototypeOf
- This function expects more than one argument, so it throws an error
- To print *this* error, we call DecompileValueGenerator from the prologue of the |const y| script (I think)
- DecompileValueGenerator freaks out because you're not supposed to call it from the prologue

The patch just uses the fallback case in DecompileValueGenerator when it's called from the prologue. The fallback case calls ValueToString, which seem fine here.
Assignee: general → wmccloskey
Status: REOPENED → ASSIGNED

        Attachment #506040 -
        Flags: review?(dmandelin)

        Attachment #506040 -
        Flags: review?(dmandelin) → review+

    
    

    
  
Thanks for the quick fix. Cool.

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/df4c38d9144e
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED

    
    

    
  
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: