Assertion failure: isInterpreted(), at ../../jsfun.h:176

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla11
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision 63bff373cb94 (options -m -n -a):


Function.prototype.toString = function () f(this, true);
function f(obj) {
  f.caller.p
}
decodeURI + 3;
Tom, you want to take a look, maybe?  Our old friend .caller rears its ugly head.
(Assignee)

Comment 2

6 years ago
Created attachment 581146 [details] [diff] [review]
patch

ObjShrink regression, incorrect test in one of the method optimization special cases that clones methods in frame callee slots when they are explicitly accessed with foo.callee or foo.caller.  This used to test that two functions have the same backing script using getFunctionPrivate, and now that getFunctionPrivate is gone the comparison is done by comparing the function scripts.  This botches the assert when one of the involved functions is not interpreted.  I went through the other places in the VM where equality tests are done on function scripts and didn't see anything else that needs fixing.
Assignee: general → bhackett1024
Attachment #581146 - Flags: review?(luke)

Updated

6 years ago
Attachment #581146 - Flags: review?(luke) → review+
(Assignee)

Comment 3

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/dacb8e36e8bd

Comment 4

6 years ago
https://hg.mozilla.org/mozilla-central/rev/dacb8e36e8bd
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
(Reporter)

Comment 5

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug709634.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.