Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 660538 - TM: Crash [@ js::DefaultValue] or "Assertion failure: v.isObject(),"
: TM: Crash [@ js::DefaultValue] or "Assertion failure: v.isObject(),"
: assertion, crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
: 660562 (view as bug list)
Depends on:
Blocks: jsfunfuzz infer-regress 630996 658638
  Show dependency treegraph
Reported: 2011-05-29 07:36 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:48 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (8.39 KB, text/plain)
2011-05-29 07:36 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (1.41 KB, patch)
2011-06-07 17:08 PDT, Brian Hackett (:bhackett)
dmandelin: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-05-29 07:36:29 PDT
Created attachment 535935 [details]

Error.prototype.__proto__.p = 5;
f = Function("return( \"\" <arguments for(w in[]))");
for (i in f()) {}

crashes js opt shell on JM changeset 56eeb8e6d7c2 with -n at js::DefaultValue and asserts js debug shell at Assertion failure: v.isObject(),

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   70194:81997070017e
user:        Brian Hackett
date:        Thu May 26 12:28:19 2011 -0700
summary:     [INFER] Optimize arguments accesses, bug 658638.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-05-29 07:37:36 PDT
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Comment 2 Brian Hackett (:bhackett) 2011-05-29 21:40:39 PDT
The script here contains JSOP_ARGUMENTS but it does not have the usesArguments flag set.  I think this is a bug in TM, but I'm not sure.  Should the script->usesArguments flag be synonymous with 'script contains JSOP_ARGUMENTS' ?  This was my reading of its comment.  CC'ing dvander.
Comment 3 Brian Hackett (:bhackett) 2011-05-29 21:41:42 PDT
*** Bug 660562 has been marked as a duplicate of this bug. ***
Comment 4 Brian Hackett (:bhackett) 2011-05-29 21:42:56 PDT
Reminder note to double check the bug 660562 testcase when this gets resolved.
Comment 5 Brian Hackett (:bhackett) 2011-06-07 17:08:33 PDT
Created attachment 537913 [details] [diff] [review]

Fix.  We recorded the usesArguments on the function's TreeContext, and then made a new script to handle the array comprehension.  generatorExpr tried to propagate the deoptimization flags from the outer script into the comprehension script, but this was actually a no-op because it did this on the inner tc rather than the outer tc (here, tc == &gentc).

This is purely a TM issue, but I'd like to land this fix directly on JM and not TM, since this mainly affects JM and JM will be merging to TM very soon anyways.  It does need to get reviewed though, since this is outside the inference code and not under the purview of bug 657412.
Comment 6 David Mandelin [:dmandelin] 2011-06-07 17:22:04 PDT
Comment on attachment 537913 [details] [diff] [review]

Review of attachment 537913 [details] [diff] [review]:
Comment 7 Brian Hackett (:bhackett) 2011-06-08 09:53:40 PDT
Comment 8 Christian Holler (:decoder) 2013-01-14 08:48:37 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug660538.js.

Note You need to log in before you can comment on or make changes to this bug.