The default bug view has changed. See this FAQ.

IonMonkey: "Assertion failure: !isOwn,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: efaust)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Other Branch
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 652797 [details]
stack

var glob = this;
var arr = [];
Object.defineProperty(arr, 0, {
  get: (function() {
    glob.__proto__;
  })
});
this.watch("s", function() {});
try {
  arr.pop();
} catch (e) {}
arr.pop();


asserts js debug shell on IonMonkey changeset d794f23798f4 with --no-jm and --ion-eager at Assertion failure: !isOwn,

(not sure if this is correct):

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   101425:adb60cc7b150
parent:      100948:5d1128ed64af
parent:      101424:9b876829ed32
user:        David Anderson
date:        Wed Jul 18 19:02:32 2012 -0700
summary:     Merge from mozilla-central.
(Assignee)

Comment 1

5 years ago
Created attachment 652968 [details] [diff] [review]
Fix

The bug was that we were trying to only deal with Object.watch on setters, but because of TI limitations, we need to refuse getters as well in the presence of watched objects on the prototype chain.
Attachment #652968 - Flags: review?(sstangl)
(Assignee)

Updated

5 years ago
Assignee: general → efaustbmo
Status: NEW → ASSIGNED

Updated

5 years ago
Attachment #652968 - Flags: review?(sstangl) → review+
(Assignee)

Comment 2

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/8dfc1dbac04b
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug783590.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.