Closed Bug 621121 Opened 14 years ago Closed 14 years ago

Assert isObject() with function increment

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 618007
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: decoder, Assigned: adrake)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: softblocker)

Attachments

(1 file, 1 obsolete file)

Patch v1
2.53 KB, patch
Details | Diff | Splinter Review 
The following code asserts in shell on mozilla-central-trunk:

var foo;

testFoo(0);
testFoo(0);

function testFoo(i)
{
  foo = getFoo(i);
}

function getFoo(i)
{
  getFoo++;
}


Assertion failure: isObject(), at jsvalue.h:602
Bisecting on tracemonkey yields:

changeset:   52243:db403b4edf3e
parent:      52220:9889018ba3cf
parent:      52242:68f7019ffed5
user:        David Anderson <dvander@alliedmods.net>
date:        Mon Jul 05 18:07:39 2010 -0700
summary:     [JAEGER] Merge from fatval & TM.

changeset:   52244:0ea22d1ff97e
user:        David Anderson <dvander@alliedmods.net>
date:        Mon Jul 05 20:14:42 2010 -0700
summary:     [JAEGER] Unbroke build, merge merge merge.
After further digging behind that merge, the actual first bad revision is:

changeset:   51981:56ac5ae1825d
user:        David Anderson <danderson@mozilla.com>
date:        Thu Jun 10 23:43:14 2010 -0700
summary:     [JAEGER] Statically bind some global functions (bug 562729, r=brendan).
To clarify:  it asserts with 'js' and 'js -j'.  It runs correctly with 'js -m' or any other invocation involving '-m'.

It's a regression.  I bisected it to the JM merge :(
Looks like adrake beat me to it and did a better job!
Nominating as blocking2.0 because it's a regression.
blocking2.0: --- → ?
Keywords: assertion, regression, testcase
The problem is caused by INCGLOBAL/DECGLOBAL/GLOBALINC/GLOBALDEC not properly invalidating the shape if incrementing something other than an integer. I copied the logic to do this from SETGLOBAL/FORGLOBAL, and it appears to have fixed the regression.

Patch against tip forthcoming.
Assignee: general → adrake
Attached patch Patch v0 (obsolete) — Splinter Review 
Patch against tip. Doesn't regress any jstests and fixes given test case.
Attached patch Patch v1Splinter Review 
With regression test for test suite.
Attachment #499622 - Attachment is obsolete: true
Bug 618007 removes the INCGLOBAL/DECGLOBAL/etc ops entirely, rendering this fix obsolete when that one lands.
Depends on: 618007
blocking2.0: ? → betaN+
Whiteboard: softblocker
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: