Closed Bug 724784 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::PropertyTable::search] or "Assertion failure: table_ && isOwned(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 724788

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

stack
13.85 KB, text/plain
Details
Attached file stack 
a = Object.prototype
function f(o) {
    try {
        ({
            x: [eval("o")][0]
        }.x.__defineGetter__("toString", function() {
            e;
        }));
        (function() {} + o)
    } catch (e) {}({} == 1)
}
f(a)

crashes js debug and opt shell on IonMonkey changeset f46cfb199e77 with -m, --ion, --ion-eager and -n at js::PropertyTable::search
a = {}
o = String.prototype.__proto__
function f3() {
    try {
        ({
            x: eval("o")
        }.x.__defineGetter__("", function() {
            o
        }))
    } catch (e) {}
    for (x in o) {
        o[x]
    }[function() {
        return o
    }()][0].h = 1
}
for (i = 0; i < 12; i++) {
    f3()
    f3()
}
for (p in a) {
    a[p]
}

is a testcase that crashes opt at the same signature and asserts js debug at Assertion failure: table_ && isOwned(), on IonMonkey changeset 40112ee40593 with --ion, -n and -m.
Summary: IonMonkey: Crash [@ js::PropertyTable::search] → IonMonkey: Crash [@ js::PropertyTable::search] or "Assertion failure: table_ && isOwned(),"
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was already added in the original bug (bug 724788).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: