Closed Bug 752205 Opened 13 years ago Closed 13 years ago

Assertion failure: v.toString()->isAtom(), at ../frontend/BytecodeEmitter.h:547

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: decoder, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-done)

Attachments

(1 file)

fix and test
1.66 KB, patch
n.nethercote
: review+
Details | Diff | Splinter Review
The following test asserts on mozilla-central revision 032d43b1770f (no options required): for (d in [(1000), 0]) { const a = (d += (this).toString()) } eval("switch(b) { case a: }");
jsfunfuzz found this too - reproduced on 64-bit Mac OS X 10.7. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 92788:6dbb135d3f1f user: Luke Wagner date: Tue May 01 14:01:06 2012 -0700 summary: Bug 749617 - rm XDRState::codeString (r=njn,a=not-libxul)
Blocks: 749617
Keywords: regression
OS: Linux → All
Attached patch fix and testSplinter Review
Ah, const vars as case labels allow raw values hence non-atomized strings. Thanks for the test case!
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #621617 - Flags: review?(n.nethercote)
Attachment #621617 - Flags: review?(n.nethercote) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/bce99efec425
Whiteboard: js-triage-needed → js-triage-done
Target Milestone: --- → mozilla15
https://hg.mozilla.org/mozilla-central/rev/bce99efec425
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug752205.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: