Closed Bug 626345 Opened 13 years ago Closed 13 years ago

Assertion failure: !addPropShapeBefore, at jstracer.cpp:7226

Categories

(Core :: JavaScript Engine, defect)

All
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: decoder, Assigned: jorendorff)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [softblocker][fixed-in-tracemonkey][fx4-fixed-bugday])

Attachments

(1 file)

The following code asserts on TM tip:

options('tracejit');
for (var j = 0; uneval({'-1':true}); ++j) { (-0).toString();
Keywords: assertion, testcase
Assignee: general → jorendorff
After seeing this bug report, I tweaked jsfunfuzz to be able to trigger it.

Here's a simpler testcase:

options('tracejit');
for (var j=0;j<9;++j) ({'0': 0});
Attached patch v1Splinter Review
I'm a little surprised nothing like this was in our test suite.

The call to js_CheckForStringIndex I'm adding here is to make this like js_DefineNativeProperty, which is the interpreter path. It seems like jsemit.cpp would be a much better place to normalize, but a narrow fix is wisest now.
Attachment #504527 - Flags: review?(jwalden+bmo)
Blocks: 559653
The patch contains some CRs, which I have excised locally.
The first bad revision is:
changeset:   33c58d16d911
user:        Jason Orendorff
date:        Fri Jan 14 16:18:53 2011 -0600
summary:     Bug 559653 - Record assignment before the interpreter goes, mostly. This reduces record_SetPropHit to a narrower callback, record_AddProperty. r=brendan.
Keywords: regression
blocking2.0: --- → ?
Hardware: x86_64 → All
blocking2.0: ? → betaN+
Whiteboard: softblocker
Attachment #504527 - Flags: review?(jwalden+bmo) → review+
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/34359bdfcde4
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
(In reply to comment #1)
> After seeing this bug report, I tweaked jsfunfuzz to be able to trigger it.
> 
> Here's a simpler testcase:
> 
> options('tracejit');
> for (var j=0;j<9;++j) ({'0': 0});

jesse, can you verify this is now fixed?  Thanks
Whiteboard: [softblocker][fixed-in-tracemonkey] → [softblocker][fixed-in-tracemonkey][fx4-fixed-bugday]
Flags: in-testsuite+
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: