Last Comment Bug 709634 - Assertion failure: isInterpreted(), at ../../jsfun.h:176
: Assertion failure: isInterpreted(), at ../../jsfun.h:176
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla11
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-12-11 16:42 PST by Christian Holler (:decoder)
Modified: 2013-01-14 07:51 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.21 KB, patch)
2011-12-12 19:23 PST, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-12-11 16:42:21 PST
The following test asserts on mozilla-central revision 63bff373cb94 (options -m -n -a):

Function.prototype.toString = function () f(this, true);
function f(obj) {
decodeURI + 3;
Comment 1 User image Jeff Walden [:Waldo] (remove +bmo to email) 2011-12-11 20:57:26 PST
Tom, you want to take a look, maybe?  Our old friend .caller rears its ugly head.
Comment 2 User image Brian Hackett (:bhackett) 2011-12-12 19:23:05 PST
Created attachment 581146 [details] [diff] [review]

ObjShrink regression, incorrect test in one of the method optimization special cases that clones methods in frame callee slots when they are explicitly accessed with foo.callee or foo.caller.  This used to test that two functions have the same backing script using getFunctionPrivate, and now that getFunctionPrivate is gone the comparison is done by comparing the function scripts.  This botches the assert when one of the involved functions is not interpreted.  I went through the other places in the VM where equality tests are done on function scripts and didn't see anything else that needs fixing.
Comment 3 User image Brian Hackett (:bhackett) 2011-12-15 09:18:31 PST
Comment 4 User image Ed Morley [:emorley] 2011-12-16 06:13:35 PST
Comment 5 User image Christian Holler (:decoder) 2013-01-14 07:51:06 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug709634.js.

Note You need to log in before you can comment on or make changes to this bug.