Last Comment Bug 721939 - "Assertion failure: vp[1].isObject(),"
: "Assertion failure: vp[1].isObject(),"
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
-- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz 717208
  Show dependency treegraph
Reported: 2012-01-27 19:23 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-02-07 12:14 PST (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (1.64 KB, text/plain)
2012-01-27 19:23 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (703 bytes, patch)
2012-02-01 16:57 PST, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-01-27 19:23:03 PST
Created attachment 592353 [details]

a = Function.prototype.__proto__
a[3] = a
x = 7;
for each(d in []) {
  d.__noSuchMethod__ = Object.isSealed

asserts js debug shell on m-c changeset 8a59519e137e with -m and -a at Assertion failure: vp[1].isObject(),
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-01-27 19:45:35 PST
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84323:16f0d80b3137
user:        Brian Hackett
date:        Wed Jan 11 17:31:41 2012 -0800
summary:     Account for all special CALLPROP behavior in inline cache stub, bug 717208. r=dvander
Comment 2 User image Brian Hackett (:bhackett) 2012-02-01 16:57:59 PST
Created attachment 593657 [details] [diff] [review]

__noSuchMethod__ seems to have the property that it shouldn't be called if the lvalue in the property access is not an object, but the way the property cache invokes GetPropertyOperation allowed __noSuchMethod__ to be called on primitives.
Comment 3 User image Brian Hackett (:bhackett) 2012-02-06 10:50:26 PST
Comment 4 User image Ed Morley [:emorley] 2012-02-07 12:14:31 PST

Note You need to log in before you can comment on or make changes to this bug.