Closed Bug 789735 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::types::TypeObject::addProperty] or "Assertion failure: !hasLazyType(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: sstangl)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

stack
10.68 KB, text/plain
Details
patch
1.05 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file stack
for each(let c in [ {}, Object, {}, Object, function() {}, {}, function() {}, function() {}, function() {}, {}, Object, Object, function() {}, Object, function() {}, {}, Object, function() {}, Object, function() {}, {}, function() {}, function() {}, function() {}, function() {}, function() {}, function() {}, Object, function() {}, function() {}, function() {}, Object, {}, function() {}, Object, function() {}, function() {}, function() {}, {}, {} ]) { try { (function() { c.watch() })() } catch (e) {} } asserts 64-bit js debug shell on IonMonkey changeset 18142c3076a1 with --no-jm at Assertion failure: !hasLazyType(), and crashes js opt shell at js::types::TypeObject::addProperty Seems to be a null crash but locking s-s just to be safe. Due to skipped revisions, the first bad revision could be any of: changeset: 105607:6cd206b37176 parent: 104959:b63bb39ed1c0 parent: 105606:a0240c1043ee user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 17:51:24 2012 -0700 summary: Merge from mozilla-central. changeset: 105758:7bf95bb09233 parent: 105607:6cd206b37176 parent: 105757:706174d31a02 user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 17:57:37 2012 -0700 summary: Merge from mozilla-central. changeset: 105759:003feda8a0b3 parent: 105758:7bf95bb09233 parent: 104963:630296b1c46d user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 17:58:13 2012 -0700 summary: Merge. changeset: 105760:8f2d38db4b56 user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 18:04:42 2012 -0700 summary: Fix merge bustage.
Reproduces nondeterministically.
Attached patch patchSplinter Review
Use getType() instead of type(), since the typeobject may still require lazy creation. I'm not sure why this is nondeterministic, but the object appears valid.
Attachment #659864 - Flags: review?(dvander)
Attachment #659864 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/c60d8106fd07
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee: general → sstangl
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: