Closed Bug 646366 Opened 14 years ago Closed 13 years ago

"Assertion failure: pobj == found,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking-fx --- ?

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)

o66 = [].__proto__ o66["hasOwnProperty"] = (5)["hasOwnProperty"] __proto__.prototype = function() {} _var_ = 2; for (x in _var_) { _var_[x] } Function("for each(z in[]){z.prototype}")() asserts js debug shell on TM changeset e6c5a67da7ae without -m nor -j at Assertion failure: pobj == found, This was found using a combination of jsfunfuzz and jandem's method fuzzer. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 63295:67b102d581dd user: Jim Blandy date: Tue Mar 15 12:18:36 2011 -0700 summary: Bug 554955: Give blocks and call objects unique shapes when they have parents that may be extended with new bindings. r=jorendorff Top 4 lines of backtrace: (gdb) bt #0 0x00000001001c0166 in JS_Assert (s=0x1003167f5 "pobj == found", file=0x100317a48 "/Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsinterp.cpp", ln=2032) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsutil.cpp:86 #1 0x00000001000c37c8 in AssertValidPropertyCacheHit (cx=0x1008126b0, script=0x100815000, regs=@0x7fff5fbfe0c0, pcoff=0, start=0x100d131b8, found=0x100d030d8, entry=0x1007b2150) at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsinterp.cpp:2032 #2 0x00000001000d940d in js::Interpret () at /Users/fuzz4/Desktop/jsfunfuzz-dbg-64-tm-63591-e6c5a67da7ae/compilePath/jsinterp.cpp:4133 #3 0x00000001000f005f in js::RunScript (cx=0x1008126b0, script=0x100814cd0, fp=0x100900048) at jsinterp.cpp:636
blocking-fx: --- → ?
Whiteboard: js-triage-needed
Seems to WFM now. Probably fixed by bug 694561. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 81261:8f3d52b0fc52 user: Brian Hackett date: Fri Oct 14 13:51:21 2011 -0700 summary: Move rarely set object flags to BaseShape, bug 694561.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.