Closed
Bug 628334
Opened 9 years ago
Closed 9 years ago
TM: Assertion failure: shape->hasDefaultSetter(), at ../jstracer.cpp:12207
Categories
(Core :: JavaScript Engine, defect, critical)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: jandem, Assigned: jorendorff)
References
Details
(4 keywords, Whiteboard: [softblocker][fixed-in-tracemonkey])
Attachments
(2 files)
|
1.20 KB,
text/plain
|
Details | |
|
3.71 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
--
var o = {};
o.watch("p", function() { });
for(var i=0; i<20; i++) {
o.p = 123;
delete o.p;
}
--
This asserts with -j:
Assertion failure: shape->hasDefaultSetter(), at ../jstracer.cpp:12207
|
Reporter | |
Comment 1•9 years ago
|
||
The first bad revision is: changeset: 60418:33c58d16d911 user: Jason Orendorff <jorendorff@mozilla.com> date: Fri Jan 14 16:18:53 2011 -0600 summary: Bug 559653 - Record assignment before the interpreter goes, mostly. This reduces record_SetPropHit to a narrower callback, record_AddProperty. r=brendan.
Blocks: 559653
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
Assignee | |
Comment 3•9 years ago
|
||
Taking preliminarily, but it'll be hours before I get a chance to really look, so feel free to steal it. Looks like it might just be one of those silly "oh, i forgot watchpoints can happen" situations.
Assignee: general → jorendorff
|
|
Reporter | |
Updated•9 years ago
|
blocking2.0: --- → ?
|
||
Comment 4•9 years ago
|
||
For this test case, nothing happens in opt mode. I think the bug is that in this particular combo of watchpoints and tracing, a setter could get skipped. Thus, softblocker. Let me know if I missed something and it is more serious.
blocking2.0: ? → final+
Whiteboard: softblocker
|
|
Assignee | |
Comment 5•9 years ago
|
||
Right. Actually the interpreter has a bug here too, bug 631305. Fortunately the watchpoint machinery is robust against it. Fix coming.
|
||
Updated•9 years ago
|
Attachment #509511 -
Flags: review?(gal) → review+
|
||
Comment 7•9 years ago
|
||
> IsWatchedProperty(JSContext *cx, const Shape *shape)
> {
> if (shape->hasSetterValue()) {
> JSObject *funobj = shape->setterObject();
> if (!funobj || !funobj->isFunction())
> return false;
>
> JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);
How about modernizing to use funobj->getFunctionPrivate() while you are here?
/be|
|
Assignee | |
Comment 8•9 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/ae1e00dc43b7
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
|
||
Comment 9•9 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/ae1e00dc43b7
|
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Comment 10•7 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•