Closed Bug 806522 Opened 7 years ago Closed 6 years ago

"Assertion failure: getSlot(EVAL).isObject()," or Assertion failure: getSlotRefForCompilation(EVAL).isObject(), at js/src/vm/GlobalObject.h

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla28

People

(Reporter: gkw, Assigned: jorendorff)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Attached file stack
evalcx("\
    let(eval) {\
        eval()\
    }\
", evalcx('lazy'))

asserts js debug shell on m-c changeset 3fb7c935a625 with --no-jm --no-ion --no-ti at Assertion failure: getSlot(EVAL).isObject(),


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   79157:d6f9285f623e
user:        Igor Bukanov
date:        Thu Sep 22 12:08:55 2011 +0200
summary:     bug 684529 - remove script object. r=jorendorff
evalcx("let(eval) {eval()}", evalcx('lazy'))
Assignee: general → jorendorff
This happens when we hit JSOP_EVAL without having resolved global.eval yet.

I'm not sure there's any danger in release builds. I'll write a fix tomorrow.

var g = evalcx("lazy");
evaluate("let(eval) {eval()}", {global: g});
(In reply to Jason Orendorff [:jorendorff] from comment #2)
> This happens when we hit JSOP_EVAL without having resolved global.eval yet.
> 
> I'm not sure there's any danger in release builds. I'll write a fix tomorrow.

jorendorff, was there any movement on this front or did it slip off your radar?
Flags: needinfo?(jorendorff)
(In reply to Jason Orendorff [:jorendorff] from comment #2)
> This happens when we hit JSOP_EVAL without having resolved global.eval yet.
> 
> I'm not sure there's any danger in release builds. I'll write a fix tomorrow.

jorendorff, was there any movement on this front or did it slip off your radar?
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Let's try to see if JSBugMon can handle this again. (I can still repro this on a recent m-c build locally)
Whiteboard: [jsbugmon:] → [jsbugmon:update,reconfirm]
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:update,reconfirm,ignore]
JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision e7632ab657e5).
Whiteboard: [jsbugmon:update,reconfirm,ignore] → [jsbugmon:update]
Attachment #8338657 - Flags: review?(jwalden+bmo)
Flags: needinfo?(jorendorff)
Comment on attachment 8338657 [details] [diff] [review]
bug-806522-eval-v1.patch

Review of attachment 8338657 [details] [diff] [review]:
-----------------------------------------------------------------

This is actually kinda prettier than it used to be!  That, or my sense of taste is going.
Attachment #8338657 - Flags: review?(jwalden+bmo) → review+
Just coming around to help land this, and fix the long-time fuzz bug:

https://hg.mozilla.org/integration/mozilla-inbound/rev/f6114308c97d
Target Milestone: --- → mozilla28
Flags: in-testsuite+
This had recently morphed to:

Assertion failure: getSlotRefForCompilation(EVAL).isObject(), at js/src/vm/GlobalObject.h
Summary: "Assertion failure: getSlot(EVAL).isObject()," → "Assertion failure: getSlot(EVAL).isObject()," or Assertion failure: getSlotRefForCompilation(EVAL).isObject(), at js/src/vm/GlobalObject.h
https://hg.mozilla.org/mozilla-central/rev/f6114308c97d
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Keywords: verifyme
This shouldn't be "verifyme" since it's in-testsuite+... my bad
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.