704134 - [ObjShrink]: Assertion failure: pobj == found, at jsinterp.cpp:1459

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on jaegermonkey branch revision a335853be219 (run with -m -n -a), tested on 64 bit:


function f(s) {
    eval(s);
    return function() {
        with({}) {}; // repel JägerMonkey
            return b;
    };
}
var b = 1;
var g1 = f("");
var g2 = f("var b = 2;");
g1('');
assertEq(g2(''), 2);

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

The EXTENSIBLE_PARENTS flag was not getting set in some cases, as it was being masked out.  This fix treats it as an object flag so that replaceLastProperty works properly when used to set the bit.

https://hg.mozilla.org/projects/jaegermonkey/rev/1f04d4f38227

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

In November 2011,

This landed on mozilla-inbound:

http://hg.mozilla.org/integration/mozilla-inbound/rev/1f04d4f38227

and mozilla-central:

http://hg.mozilla.org/mozilla-central/rev/1f04d4f38227

which I think was Firefox 11 in the nightlies.

Comment 3

[Mihaela Velimiroviciu (:mihaelav)]

Ubuntu 11.04 64 bit

I built Spidermonkey for the latest beta (rev d46a4577a631) and run the test from comment #0: no failure occured. 

Marking verified for Firefox 11.

Comment 4

[Mihaela Velimiroviciu (:mihaelav)]

Ubuntu 11.04 64 bit

I built Jaegermonkey for the latest beta (rev 4027017bbaba) and run the test from comment #0: no failure occured. 

Marking verified for Firefox 12.

Comment 5

[Mihaela Velimiroviciu (:mihaelav)]

Ubuntu 11.10 64 bit

I built Jaegermonkey for the latest beta (rev 64ffbdd90ac0) and run the test from comment #0: no failure occured. 

Marking verified for Firefox 13.

Comment 6

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug704134.js.