Closed Bug 634593 Opened 9 years ago Closed 9 years ago

Assertion failure: proto->isNative(), at jsobjinlines.h:917

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- .x+

People

(Reporter: decoder, Assigned: brendan)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Running the following code with -j in the shell causes an assertion (tested on TM tip):

this.__defineGetter__("x3", Function);
parseInt = x3;
parseInt.prototype = [];
for (var z = 0; z < 10; ++z) { new parseInt() }
Group: core-security
blocking2.0: --- → ?
This doesn't crash my opt shell.

It seems to be just a bogus assertion; more specifically, a latent bug exposed by patch for bug 633929. Underlying code goes back to my patch for bug 535416.

/be
Blocks: 630865
Group: core-security
Assignee: general → brendan
Status: NEW → ASSIGNED
blocking2.0: ? → .x
This is not a blocker but bogus assertions are bad for fuzzing, so it should be fixed (DEBUG-only change, I hope).

/be
Non-native objects can provide empty shapes?
(In reply to comment #4)
> Non-native objects can provide empty shapes?

Surprising but true.

/be
OS: Linux → Windows CE
Attachment #513000 - Flags: review?(jorendorff)
Comment on attachment 513000 [details] [diff] [review]
remove bogus assertion

Needs a test. r=me with that.
Attachment #513000 - Flags: review?(jorendorff) → review+
OS: Windows CE → Linux
OS: Linux → All
Hardware: x86_64 → All
http://hg.mozilla.org/tracemonkey/rev/b0fd21292a78

/be
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/b0fd21292a78
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 676763
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug634593.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.