Closed Bug 709634 Opened 8 years ago Closed 8 years ago

Assertion failure: isInterpreted(), at ../../jsfun.h:176

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla11

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

Attachments

(1 file)

The following test asserts on mozilla-central revision 63bff373cb94 (options -m -n -a):


Function.prototype.toString = function () f(this, true);
function f(obj) {
  f.caller.p
}
decodeURI + 3;
Tom, you want to take a look, maybe?  Our old friend .caller rears its ugly head.
Attached patch patchSplinter Review
ObjShrink regression, incorrect test in one of the method optimization special cases that clones methods in frame callee slots when they are explicitly accessed with foo.callee or foo.caller.  This used to test that two functions have the same backing script using getFunctionPrivate, and now that getFunctionPrivate is gone the comparison is done by comparing the function scripts.  This botches the assert when one of the involved functions is not interpreted.  I went through the other places in the VM where equality tests are done on function scripts and didn't see anything else that needs fixing.
Assignee: general → bhackett1024
Attachment #581146 - Flags: review?(luke)
Attachment #581146 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/dacb8e36e8bd
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug709634.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.