Closed
Bug 660538
Opened 14 years ago
Closed 13 years ago
TM: Crash [@ js::DefaultValue] or "Assertion failure: v.isObject(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(4 keywords)
Crash Data
Attachments
(2 files)
|
8.39 KB,
text/plain
|
Details | |
|
1.41 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
Error.prototype.__proto__.p = 5;
f = Function("return( \"\" <arguments for(w in[]))");
for (i in f()) {}
crashes js opt shell on JM changeset 56eeb8e6d7c2 with -n at js::DefaultValue and asserts js debug shell at Assertion failure: v.isObject(),
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 70194:81997070017e
user: Brian Hackett
date: Thu May 26 12:28:19 2011 -0700
summary: [INFER] Optimize arguments accesses, bug 658638.
|
Reporter | |
Comment 1•14 years ago
|
||
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
|
Assignee | |
Comment 2•14 years ago
|
||
The script here contains JSOP_ARGUMENTS but it does not have the usesArguments flag set. I think this is a bug in TM, but I'm not sure. Should the script->usesArguments flag be synonymous with 'script contains JSOP_ARGUMENTS' ? This was my reading of its comment. CC'ing dvander.
|
|
Assignee | |
Comment 4•14 years ago
|
||
Reminder note to double check the bug 660562 testcase when this gets resolved.
|
|
Reporter | |
Updated•14 years ago
|
Summary: TI: Crash [@ js::DefaultValue] or "Assertion failure: v.isObject()," → TM: Crash [@ js::DefaultValue] or "Assertion failure: v.isObject(),"
|
|
Assignee | |
Comment 5•13 years ago
|
||
Fix. We recorded the usesArguments on the function's TreeContext, and then made a new script to handle the array comprehension. generatorExpr tried to propagate the deoptimization flags from the outer script into the comprehension script, but this was actually a no-op because it did this on the inner tc rather than the outer tc (here, tc == &gentc). This is purely a TM issue, but I'd like to land this fix directly on JM and not TM, since this mainly affects JM and JM will be merging to TM very soon anyways. It does need to get reviewed though, since this is outside the inference code and not under the purview of bug 657412.
Assignee: general → bhackett1024
Attachment #537913 -
Flags: review?(dmandelin)
|
||
Comment 6•13 years ago
|
||
Comment on attachment 537913 [details] [diff] [review] patch Review of attachment 537913 [details] [diff] [review]: -----------------------------------------------------------------
Attachment #537913 -
Flags: review?(dmandelin) → review+
|
|
Assignee | |
Comment 7•13 years ago
|
||
http://hg.mozilla.org/projects/jaegermonkey/rev/cbf05c26053e
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ js::DefaultValue]
|
||
Comment 8•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug660538.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•