Closed
Bug 610088
Opened 14 years ago
Closed 13 years ago
"Assertion failure: script->main <= target && target < script->code + script->length" with evalcx, Object.seal(this), proxy
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: jruderman, Assigned: billm)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [softblocker][fixed-in-tracemonkey])
Attachments
(3 files, 1 obsolete file)
Assertion failure: script->main <= target && target < script->code + script->length, at js/src/jsopcode.cpp:5524 The first bad revision is: changeset: 7ef107ab081e user: Brendan Eich date: Thu Sep 16 11:56:54 2010 -0700 summary: Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff).
Reporter | ||
Comment 1•14 years ago
|
||
Comment 2•13 years ago
|
||
Fixed by bug 600642. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 60012:9074de2454dc user: Andreas Gal date: Mon Jan 10 11:42:11 2011 -0800 summary: Rename Proxy enumerateOwn to keys (bug 600642, r=jorendorff,brendan).
Status: NEW → RESOLVED
Closed: 13 years ago
OS: Linux → Windows CE
Resolution: --- → FIXED
Reporter | ||
Comment 3•13 years ago
|
||
No, that patch only renamed enumerateOwn to keys ;)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 4•13 years ago
|
||
Reporter | ||
Updated•13 years ago
|
Attachment #488630 -
Attachment is obsolete: true
Reporter | ||
Updated•13 years ago
|
OS: Windows CE → All
Hardware: x86_64 → All
Updated•13 years ago
|
blocking2.0: --- → ?
Updated•13 years ago
|
blocking2.0: ? → .x
Comment 5•13 years ago
|
||
Why .x?
Comment 6•13 years ago
|
||
(In reply to comment #5) > Why .x? The bug looks like an assertion failure in the decompiler for some obscure code. Seems lower priority than our existing softblockers.
Comment 7•13 years ago
|
||
Without some more detailed look I would be worried to just postpone this indefinitely, in particular with a public visible test case. softblocker instead? I wouldn't hold a release over this, but I would prioritize this over any non-FF4-blocker work.
Comment 8•13 years ago
|
||
(In reply to comment #7) > Without some more detailed look I would be worried to just postpone this > indefinitely, in particular with a public visible test case. softblocker > instead? I wouldn't hold a release over this, but I would prioritize this over > any non-FF4-blocker work. Sure, I was on the border on this one.
blocking2.0: .x → betaN+
Whiteboard: softblocker
Assignee | ||
Comment 9•13 years ago
|
||
This was a quick fix. Here's what happened: - We seal |this| - Defining |y| in the last line causes an error - To print the error message, we try to decompile the value of |x| - When we try to enumerate the properties of |x|, we call its keys method, which is really Object.getPrototypeOf - This function expects more than one argument, so it throws an error - To print *this* error, we call DecompileValueGenerator from the prologue of the |const y| script (I think) - DecompileValueGenerator freaks out because you're not supposed to call it from the prologue The patch just uses the fallback case in DecompileValueGenerator when it's called from the prologue. The fallback case calls ValueToString, which seem fine here.
Assignee: general → wmccloskey
Status: REOPENED → ASSIGNED
Attachment #506040 -
Flags: review?(dmandelin)
Updated•13 years ago
|
Attachment #506040 -
Flags: review?(dmandelin) → review+
Comment 10•13 years ago
|
||
Thanks for the quick fix. Cool.
Assignee | ||
Comment 11•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/df4c38d9144e
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
Comment 12•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/df4c38d9144e
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
Comment 13•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•