Closed Bug 705879 Opened 10 years ago Closed 10 years ago

"Assertion failure: isGlobal(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla11

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

stack
5.40 KB, text/plain
Details
fix
1.70 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Attached file stack 
f = eval("\
  (function() {\
    with({}) {\
      yield\
    }\
    for(let d in[gc()])\
    for(b in[0,function(){}]);\
  })\
")
for (e in f()) {}

asserts js debug shell on JM changeset 5546f57c9567 without any CLI flags at Assertion failure: isGlobal(),

Doesn't seem to occur with m-c changeset bc48009a6bbb.

(not sure if the following is correct):

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   79616:d6352d960dd2
parent:      79349:f951e9151626
parent:      79615:921e1db5cf11
user:        Brian Hackett
date:        Wed Nov 02 09:23:25 2011 -0700
summary:     Merge MC -> JM
I can't repro on the named revision and architecture.
(In reply to Brian Hackett (:bhackett) from comment #1)
> I can't repro on the named revision and architecture.

I can definitely still reproduce this on a 32-bit debug shell on JM rev 1e8c03ba91d0 without any CLI flags.
> I can definitely still reproduce this on a 32-bit debug shell on JM rev
> 1e8c03ba91d0 without any CLI flags.

There was some offline discussion about this being possibly platform and configuration-specific and being potentially fixed by bug 692274.
> There was some offline discussion about this being possibly platform and
> configuration-specific and being potentially fixed by bug 692274.

This still reproduces with the patch in comment 35 in bug 692274 applied on m-c rev 7ab478082ca7. Testing m-c because ObjShrink has landed on m-c.

Luke, any ideas on why this still occurs? (when Brian and I last spoke, this doesn't really seem directly related to ObjShrink)
Summary: [ObjShrink] "Assertion failure: isGlobal()," → "Assertion failure: isGlobal(),"
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #4)
> Luke, any ideas on why this still occurs? (when Brian and I last spoke, this
> doesn't really seem directly related to ObjShrink)

Yeah, it's ObjShrink: 'priv' is a stale stack frame stored in the generator object, this code should use the live frame (on the stack), i.e., 'fp'.
Attached patch fixSplinter Review
Attachment #579881 - Flags: review?(bhackett1024)
Attachment #579881 - Flags: review?(bhackett1024) → review+
(In reply to Luke Wagner [:luke] from comment #6)
> Created attachment 579881 [details] [diff] [review]
> fix

(setting assignee to Luke since he has an r+ patch - ready for checkin!)
Assignee: general → luke
Duplicate of this bug: 709929
The testcase in bug 709929 should also be landed.
Righto.  Will land when m-i kerfuffle clears up; sorry for not landing earlier.
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #9)
> The testcase in bug 709929 should also be landed.

Here's another testcase which crashes debug shell that is fixed by the patch here:

f = (function() {
    function shapeyConstructor(qvhvyl) {
        Object.defineProperty(qvhvyl, "", ({
            e: true
        }));
        gc();
    }
    for each(let x in [Number, Number, new Number]) {
        try {
            let g = shapeyConstructor(x);
            with({}) {
                with([]) yield
                }
            } catch (e) {
            }
        }
    })
for (i in f()) {}
https://hg.mozilla.org/mozilla-central/rev/ebfc6414c4dc
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.