Closed Bug 646366 Opened 13 years ago Closed 13 years ago

"Assertion failure: pobj == found,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking-fx --- ?

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed) 

o66 = [].__proto__
o66["hasOwnProperty"] = (5)["hasOwnProperty"]
__proto__.prototype = function() {}
_var_ = 2;
for (x in _var_) {
    _var_[x]
}
Function("for each(z in[]){z.prototype}")()

asserts js debug shell on TM changeset e6c5a67da7ae without -m nor -j at Assertion failure: pobj == found,

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   63295:67b102d581dd
user:        Jim Blandy
date:        Tue Mar 15 12:18:36 2011 -0700
summary:     Bug 554955: Give blocks and call objects unique shapes when they have parents that may be extended with new bindings. r=jorendorff

Top 4 lines of backtrace:
(gdb) bt
#0  0x00000001001c0166 in JS_Assert (s=0x1003167f5 "pobj == found", file=0x100317a48 "/Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsinterp.cpp", ln=2032) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsutil.cpp:86
#1  0x00000001000c37c8 in AssertValidPropertyCacheHit (cx=0x1008126b0, script=0x100815000, regs=@0x7fff5fbfe0c0, pcoff=0, start=0x100d131b8, found=0x100d030d8, entry=0x1007b2150) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsinterp.cpp:2032
#2  0x00000001000d940d in js::Interpret () at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsinterp.cpp:4133
#3  0x00000001000f005f in js::RunScript (cx=0x1008126b0, script=0x100814cd0, fp=0x100900048) at jsinterp.cpp:636
blocking-fx: --- → ?
Whiteboard: js-triage-needed
Seems to WFM now. Probably fixed by bug 694561.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   81261:8f3d52b0fc52
user:        Brian Hackett
date:        Fri Oct 14 13:51:21 2011 -0700
summary:     Move rarely set object flags to BaseShape, bug 694561.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.