Closed Bug 688973 Opened 13 years ago Closed 12 years ago

Assertion failure: !global->nativeLookup(cx, id), at ../jsobjinlines.h:1648

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed [jsbugmon:]) 

The following test asserts on mozilla-central revision fecae145d884 (options -m -n -a):


const [ QName, [] ] = ['a b','c d'];
var xmlOl = new XML('foo');
Crash Automation hit this assertion at http://www.slacker.com on Linux, Mac, Windows on Aurora/9, Nightly/10 yesterday but I can't reproduce this locally. Resubmitting the url does reproduce the assertion though using https://hg.mozilla.org/mozilla-central/rev/1fa31fa85082 and https://hg.mozilla.org/releases/mozilla-aurora/rev/10dca99e30c4

Pseudo stack was: JS_Assert | js::DefineConstructorAndPrototype InitErrorClass js_InitExceptionClasses js_GetClassObject js_FindClassObject
(In reply to Christian Holler (:decoder) from comment #0)
> The following test asserts on mozilla-central revision fecae145d884 (options
> -m -n -a):
> 
> 
> const [ QName, [] ] = ['a b','c d'];
> var xmlOl = new XML('foo');

Here is a non-XML test case that trips the same assertion (with a stack more like Bob's):

const [ Error ] = [ 3 ];
var x = y.z

The first line should be an error, because Error is supposed to be already defined on the global object. Both const and destructuring initialization are required to trip the assert. This may be related to bug 708892.
Depends on: 708892
Now reproducible on http://www.slacker.com/webplayer/index_embed.vm with Beta/10, Aurora/11, Nightly/12 on Mac, Linux and Windows
[jwalden@wheres-wally src]$ cat /tmp/fail.js 
const [Error] = [5]
[jwalden@wheres-wally src]$ dbg/js -e 'disfile("/tmp/fail.js")'
loc     op
-----   --
main:
00000:  int8 5
00002:  getlocal 0
00005:  bindname "Error"
00008:  qnamepart "Error"
00011:  enumconstelem
00012:  popn 1
00015:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------
  0:    1     2 [   2] pcdelta  offset 1
  2:    1    11 [   9] xdelta  
  3:    1    11 [   0] pcbase   offset 6

enumconstelem is the offender here:

#if JS_HAS_DESTRUCTURING
BEGIN_CASE(JSOP_ENUMCONSTELEM)
{
    const Value &ref = regs.sp[-3];
    JSObject *obj;
    FETCH_OBJECT(cx, -2, obj);
    jsid id;
    FETCH_ELEMENT_ID(obj, -1, id);
    if (!obj->defineGeneric(cx, id, ref,
                            JS_PropertyStub, JS_StrictPropertyStub,
                            JSPROP_ENUMERATE | JSPROP_PERMANENT | JSPROP_READONLY)) {
        goto error;
    }
    regs.sp -= 3;
}
END_CASE(JSOP_ENUMCONSTELEM)
#endif

No checks for conflicts or anything.
This is reproducible on Windows 32bit and OS X 64bit beta/13 by pasting the testcase into the Web Console but on Aurora/14, Nightly/15 it throws a TypeError: redeclaration of var QName
Whiteboard: js-triage-needed → js-triage-needed [jsbugmon:update,reconfirm]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0aa7fc75cad5).
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 183aed68ea36).
Whiteboard: js-triage-needed [jsbugmon:update,reconfirm] → js-triage-needed
Whiteboard: js-triage-needed → js-triage-needed [jsbugmon:bisectfix]
Whiteboard: js-triage-needed [jsbugmon:bisectfix] → js-triage-needed [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   91357:4c298ca28fa6
user:        Luke Wagner
date:        Fri Mar 16 12:02:37 2012 -0700
summary:     Bug 740259 - Assert that dynamic binding access is expected (r=bhackett)
Luke, is the fix in comment 8 plausible? Can we close this bug?
I guess so, since it is scope-related.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.