Closed
Bug 823715
Opened 12 years ago
Closed 12 years ago
"Assertion failure: JSVAL_IS_DOUBLE_IMPL(data),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:testComment=2,origRev=868b21bed3eb])
Attachments
(2 files)
|
8.54 KB,
text/plain
|
Details | |
|
3.07 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
for (var i = 0; i < 9; ++i) {
var g = this[Object.getOwnPropertyNames(this)[i]];
for (var j = 0; j < 9; ++j) {
try {
g.prototype[Object.getOwnPropertyNames(g.prototype)[j]]
} catch (e) {}
}
}
asserts js debug shell on m-c changeset 868b21bed3eb without any CLI arguments at Assertion failure: JSVAL_IS_DOUBLE_IMPL(data),
This testcase requires --enable-more-deterministic but I think I can get a testcase without --enable-more-deterministic.
jsfunfuzz hits this very very early on prior to generation of any random code, so having this bug renders jsfunfuzz almost inoperable.
|
||
Updated•12 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:]
|
|
||
Comment 1•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
Reporter | |
Comment 2•12 years ago
|
||
for (var i = 0; i < 99; ++i) {
var g = this[Object.getOwnPropertyNames(this)[i]];
for (var j = 0; j < 9; ++j) {
try {
g.prototype[Object.getOwnPropertyNames(g.prototype)[j]];
} catch (e) {}
}
}
This testcase does not require --enable-more-deterministic - I think the only difference is the first for-loop needing to loop 99 times here instead of only 9 times in comment 0.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 116633:91dae8287643
user: Jan de Mooij
date: Thu Dec 20 15:27:54 2012 +0100
summary: Bug 822385 - Add getter, setter and method with jitinfo to the shell. r=bz
jandem, this is pretty bad, do you mind looking at this asap?
Blocks: 822385
Flags: needinfo?(jdemooij)
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update,testComment=1]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=1] → [fuzzblocker] [jsbugmon:update,testComment=1,origRev=868b21bed3eb]
|
|
||
Updated•12 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=1,origRev=868b21bed3eb] → [fuzzblocker] [jsbugmon:testComment=1,origRev=868b21bed3eb]
|
|
||
Comment 3•12 years ago
|
||
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:testComment=1,origRev=868b21bed3eb] → [fuzzblocker] [jsbugmon:update,testComment=2,origRev=868b21bed3eb]
|
|
||
Comment 4•12 years ago
|
||
Oops. This is definitely a bug in the patch for bug 822385. This part:
>+ JS::Value val = js::GetReservedSlot(obj, DOM_OBJECT_SLOT);
Is wrong because the shell object setup differs from actual DOM objects in a crucial way. In particular, the "DOM proto" is set up with the same JSClass as the "DOM objects" in the shell, which is NOT how actual DOM objects work. But the proto of course does not have a useful private set. So we pass the class check in dom_generic*, but then try to val.toPrivate() on the reserved slot, and that fails.
We should probably just use ObjectClass for the proto.
|
Assignee | |
Comment 5•12 years ago
|
||
I'm not sure how to use the Object proto as prototype and still be able to use InitClass. Furthermore, I'm not sure if the IonMonkey paths still work with that. So this patch just initializes FakeDOMObject.prototype.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #694741 -
Flags: review?(bzbarsky)
Flags: needinfo?(jdemooij)
|
|
||
Comment 6•12 years ago
|
||
Comment on attachment 694741 [details] [diff] [review]
Patch
The Ion paths should work fine with that, but yeah, you can't JS_InitClass, I guess.
r=me; at some point if it becomes needed we can make this look more like actual DOM objects.
Attachment #694741 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 7•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a431a8e935bf
Thanks for the quick review!
|
|
||
Updated•12 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=2,origRev=868b21bed3eb] → [fuzzblocker] [jsbugmon:update,testComment=2,origRev=868b21bed3eb,ignore]
|
|
||
Comment 8•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ea373e534245).
|
||
Comment 9•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=2,origRev=868b21bed3eb,ignore] → [fuzzblocker] [jsbugmon:update,testComment=2,origRev=868b21bed3eb]
Target Milestone: --- → mozilla20
|
|
Reporter | |
Comment 10•12 years ago
|
||
A variant of the test landed -> in-testsuite+ and VERIFIED on behalf of jsbugmon.
Status: RESOLVED → VERIFIED
Flags: in-testsuite? → in-testsuite+
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=2,origRev=868b21bed3eb] → [fuzzblocker] [jsbugmon:testComment=2,origRev=868b21bed3eb]
You need to log in
before you can comment on or make changes to this bug.
Description
•