Closed Bug 618574 Opened 14 years ago Closed 14 years ago

TM: "Assertion failure: !IsFunctionObject(v),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla2.0b8
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: hardblocker, [sg:critical?], fixed-in-tracemonkey)

Attachments

(1 file)

v1
4.60 KB, patch
dvander
: review+
Details | Diff | Splinter Review
eval("\ (function(){\ x=Proxy.createFunction((\ function(){\ return{\ iterate:function(){\ return(function(){})\ }\ }\ }()\ ),Object.getOwnPropertyDescriptor);\ function a(z){\ for(v in z)n\ }\ for each(let e in[\ String,String,String,Number,Number,String,new String,new Number,x\ ]){\ a(e)\ }\ })\ ")() asserts js debug shell on TM changeset 1002cba2f2d6 with -j at Assertion failure: !IsFunctionObject(v),
blocking2.0: --- → ?
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 47546:9c869e64ee26 user: Luke Wagner date: Wed Jul 14 23:19:36 2010 -0700 summary: Bug 549143 - fatvals
Blocks: fatvals
fatvals added a slew of assertions, including this one. If you put diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp --- a/js/src/jstracer.cpp +++ b/js/src/jstracer.cpp @@ -2745,16 +2745,17 @@ TraceMonitor::mark(JSTracer* trc) switch (type) { case TT_OBJECT: + JS_ASSERT(!(*(JSObject**)slot)->isFunction()); v = OBJECT_TO_JSVAL(*(JSObject**)slot); To the cset before fatvals, the given testcase still asserts. Gary, do you suppose you could bisect back a bit further using this added assertion?
No longer blocks: fatvals
blocking2.0: ? → betaN+
Simpler: var x = Proxy.create({ iterate: function () { return function () {}; } }); for each (var e in [{}, {}, {}, {}, {}, {}, {}, {}, x]) for (var v in e) ; Stack is just js::LeaveTree -> js::NativeToValue -> assertion. It happens when leaving trace after a deep bail.
Assignee: general → jorendorff
Attached patch v1Splinter Review
Attachment #497444 - Flags: review?(dvander)
Attachment #497444 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/47a4f03b5947
Whiteboard: [fixed-in-tracemonkey]
Target Milestone: --- → mozilla2.0b8
bhackett says this caused serious regressions including bug 619880.
The comparison on the webkit sunspider page doesn't work any more with this patch.
Whiteboard: [fixed-in-tracemonkey]
When a new patch for this bug is written, can the author please check that this program from bug 619880 runs without asserting? Thanks. for(let a in[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]) for(d in[]);
Depends on: 619880
How far back does this bug go -- affects 1.9.x versions? Is this a critical security bug or bogus assertion?
Keywords: regressionwindow-wanted
Whiteboard: hardblocker
Blocks: 619880
No longer depends on: 619880
sg:critical? until proven otherwise.
Whiteboard: hardblocker → hardblocker, [sg:critical?]
The original patch needs to "vp->setObject(*obj)" in ObjectToIterator before calling js_ValueToIterator. With that comment0, comment 3, comment 9, and trace tests pass.
is this fixed-on-tm? Jason Orendorff – Unbox iterator after deep bail. Bug 618574, r=dvander. Second landing, including a fix thanks to luke.
(In reply to comment #14) > is this fixed-on-tm? > > Jason Orendorff – Unbox iterator after deep bail. Bug 618574, r=dvander. Second > landing, including a fix thanks to luke. Yes. http://hg.mozilla.org/tracemonkey/rev/1f9f35be9840
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: hardblocker, [sg:critical?] → hardblocker, [sg:critical?], fixed-in-tracemonkey
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: