Closed Bug 721939 Opened 12 years ago Closed 12 years ago

"Assertion failure: vp[1].isObject(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)

Attachments

(2 files)

stack
1.64 KB, text/plain
Details
patch
703 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file stack 
a = Function.prototype.__proto__
a[3] = a
x = 7;
for each(d in []) {
  d.__noSuchMethod__ = Object.isSealed
}
Function("x.f()")()


asserts js debug shell on m-c changeset 8a59519e137e with -m and -a at Assertion failure: vp[1].isObject(),
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   84323:16f0d80b3137
user:        Brian Hackett
date:        Wed Jan 11 17:31:41 2012 -0800
summary:     Account for all special CALLPROP behavior in inline cache stub, bug 717208. r=dvander
Blocks: 717208
Attached patch patchSplinter Review 
__noSuchMethod__ seems to have the property that it shouldn't be called if the lvalue in the property access is not an object, but the way the property cache invokes GetPropertyOperation allowed __noSuchMethod__ to be called on primitives.
Assignee: general → bhackett1024
Attachment #593657 - Flags: review?(dvander)
Attachment #593657 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/e62254ca31f8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: