Closed Bug 700799 Opened 13 years ago Closed 13 years ago

[ObjShrink] "Assertion failure: withobj->getClass() == &WithClass,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files, 1 obsolete file)

stack
3.06 KB, text/plain
Details
patch
3.65 KB, patch
luke
: review+
Details | Diff | Splinter Review
Attached file stack
for (let x in [<y/>.(let(x) function() {})]) {} asserts js debug shell on JM changeset 1210706b4576 with patch v1 from bug 697279 without any CLI flags at Assertion failure: withobj->getClass() == &WithClass, autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 78142:f852758f39d1 user: Brian Hackett date: Thu Oct 13 20:21:36 2011 -0700 summary: Move JSObject::parent to BaseShape, bug 638316.
Attached patch patch (obsolete) — Splinter Review
Semantic difference vs. trunk that seems to have been exposed by breakage elsewhere in the VM. When parsing the inner let block the parser sets the static block chain of the inner let to the outer one, and later resets it to NULL (!). The JM branch changed this (wrong) behavior to ignore the second set and keep the static block chain of the inner let pointing to the outer let. Later on when interpreting, the XML filter creates a With object that somehow gets an incorrect static block chain and doesn't force construction of the block for the outer let, so that the with object has the wrong parent. *Still* later, when constructing the block object for the inner let GetScopeChainFull manages to find the outer let, parents the inner one to the outer one and skips the with, then we die when ending the filter because the frame's scope chain is wrong. I don't really have any clue how any of this code works, so this patch just restores the same behavior as trunk and constructs an incorrect static block chain for the let statements. But this should be fixed for real (it is probably a dupe of something else, that let block in the for loop looks suspicious). https://hg.mozilla.org/projects/jaegermonkey/rev/8bea0b58c9ff
Assignee: general → bhackett1024
Attachment #573036 - Flags: review?(luke)
Assignee: bhackett1024 → general
Attached patch patchSplinter Review
Oops, wrong file.
Attachment #573036 - Attachment is obsolete: true
Attachment #573036 - Flags: review?(luke)
Attachment #573037 - Flags: review?(luke)
Comment on attachment 573037 [details] [diff] [review] patch This fix almost dovetails exactly with bug 638316 comment 22 paragraph 1 if you use ObjectOrNullValue instead of UndefinedValue.
Attachment #573037 - Flags: review?(luke) → review+
(In reply to Luke Wagner [:luke] from comment #3) > Comment on attachment 573037 [details] [diff] [review] [diff] [details] [review] > patch > > This fix almost dovetails exactly with bug 638316 comment 22 paragraph 1 if > you use ObjectOrNullValue instead of UndefinedValue. Is this bug still valid for m-c? (seems to be fixed on JM per comment 1) If so, probably the summary should be changed, or a new bug filed. I'm not sure I see the assert on m-c.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/e4x/bug700799.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: