Closed Bug 752205 Opened 12 years ago Closed 12 years ago

Assertion failure: v.toString()->isAtom(), at ../frontend/BytecodeEmitter.h:547

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: decoder, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-done)

Attachments

(1 file)

fix and test
1.66 KB, patch
n.nethercote
: review+
Details | Diff | Splinter Review 
The following test asserts on mozilla-central revision 032d43b1770f (no options required):


for (d in [(1000), 0]) {
    const a = (d += (this).toString())
}
eval("switch(b) { case a: }");
jsfunfuzz found this too - reproduced on 64-bit Mac OS X 10.7.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   92788:6dbb135d3f1f
user:        Luke Wagner
date:        Tue May 01 14:01:06 2012 -0700
summary:     Bug 749617 - rm XDRState::codeString (r=njn,a=not-libxul)
Blocks: 749617
Keywords: regression
OS: Linux → All
Attached patch fix and testSplinter Review 
Ah, const vars as case labels allow raw values hence non-atomized strings.

Thanks for the test case!
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #621617 - Flags: review?(n.nethercote)
Attachment #621617 - Flags: review?(n.nethercote) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/bce99efec425
Whiteboard: js-triage-needed → js-triage-done
Target Milestone: --- → mozilla15
https://hg.mozilla.org/mozilla-central/rev/bce99efec425
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug752205.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: