Closed
Bug 626345
Opened 13 years ago
Closed 13 years ago
Assertion failure: !addPropShapeBefore, at jstracer.cpp:7226
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: decoder, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [softblocker][fixed-in-tracemonkey][fx4-fixed-bugday])
Attachments
(1 file)
1.29 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
The following code asserts on TM tip: options('tracejit'); for (var j = 0; uneval({'-1':true}); ++j) { (-0).toString();
Reporter | ||
Updated•13 years ago
|
Assignee | ||
Updated•13 years ago
|
Assignee: general → jorendorff
Comment 1•13 years ago
|
||
After seeing this bug report, I tweaked jsfunfuzz to be able to trigger it. Here's a simpler testcase: options('tracejit'); for (var j=0;j<9;++j) ({'0': 0});
Assignee | ||
Comment 2•13 years ago
|
||
I'm a little surprised nothing like this was in our test suite. The call to js_CheckForStringIndex I'm adding here is to make this like js_DefineNativeProperty, which is the interpreter path. It seems like jsemit.cpp would be a much better place to normalize, but a narrow fix is wisest now.
Attachment #504527 -
Flags: review?(jwalden+bmo)
Assignee | ||
Comment 3•13 years ago
|
||
The patch contains some CRs, which I have excised locally.
Comment 4•13 years ago
|
||
The first bad revision is: changeset: 33c58d16d911 user: Jason Orendorff date: Fri Jan 14 16:18:53 2011 -0600 summary: Bug 559653 - Record assignment before the interpreter goes, mostly. This reduces record_SetPropHit to a narrower callback, record_AddProperty. r=brendan.
Keywords: regression
Updated•13 years ago
|
blocking2.0: --- → ?
Hardware: x86_64 → All
Updated•13 years ago
|
blocking2.0: ? → betaN+
Whiteboard: softblocker
Updated•13 years ago
|
Attachment #504527 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Updated•13 years ago
|
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
Comment 5•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/34359bdfcde4
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 6•13 years ago
|
||
(In reply to comment #1) > After seeing this bug report, I tweaked jsfunfuzz to be able to trigger it. > > Here's a simpler testcase: > > options('tracejit'); > for (var j=0;j<9;++j) ({'0': 0}); jesse, can you verify this is now fixed? Thanks
Whiteboard: [softblocker][fixed-in-tracemonkey] → [softblocker][fixed-in-tracemonkey][fx4-fixed-bugday]
Updated•13 years ago
|
Flags: in-testsuite+
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•