Last Comment Bug 721939 - "Assertion failure: vp[1].isObject(),"
: "Assertion failure: vp[1].isObject(),"
Status: RESOLVED FIXED
js-triage-needed
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: jsfunfuzz 717208
  Show dependency treegraph
 
Reported: 2012-01-27 19:23 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-02-07 12:14 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (1.64 KB, text/plain)
2012-01-27 19:23 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (703 bytes, patch)
2012-02-01 16:57 PST, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-01-27 19:23:03 PST
Created attachment 592353 [details]
stack

a = Function.prototype.__proto__
a[3] = a
x = 7;
for each(d in []) {
  d.__noSuchMethod__ = Object.isSealed
}
Function("x.f()")()


asserts js debug shell on m-c changeset 8a59519e137e with -m and -a at Assertion failure: vp[1].isObject(),
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-01-27 19:45:35 PST
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84323:16f0d80b3137
user:        Brian Hackett
date:        Wed Jan 11 17:31:41 2012 -0800
summary:     Account for all special CALLPROP behavior in inline cache stub, bug 717208. r=dvander
Comment 2 Brian Hackett (:bhackett) 2012-02-01 16:57:59 PST
Created attachment 593657 [details] [diff] [review]
patch

__noSuchMethod__ seems to have the property that it shouldn't be called if the lvalue in the property access is not an object, but the way the property cache invokes GetPropertyOperation allowed __noSuchMethod__ to be called on primitives.
Comment 3 Brian Hackett (:bhackett) 2012-02-06 10:50:26 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/e62254ca31f8
Comment 4 Ed Morley [:emorley] 2012-02-07 12:14:31 PST
https://hg.mozilla.org/mozilla-central/rev/e62254ca31f8

Note You need to log in before you can comment on or make changes to this bug.