Closed
Bug 851673
Opened 12 years ago
Closed 12 years ago
Assertion failure: v.isUndefined(), at jsarray.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Attachments
(2 files)
|
4.81 KB,
text/plain
|
Details | |
|
1021 bytes,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
x = (/x/).exec();
y = wrapWithProto((new WeakMap), x);
y.length = 7;
Array.prototype.push.call(y, 1);
Array.prototype.reverse.call(y);
asserts js debug shell on m-c changeset 8f5b1f9f5804 without any CLI arguments at Assertion failure: v.isUndefined(),
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 1•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
Reporter | |
Comment 2•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 124725:5d58b6d250d5
user: Jeff Walden
date: Mon Mar 04 09:41:11 2013 -0800
summary: Bug 843402 - Make all always-inlined methods just inline, and let the compiler choose how to optimize. r=http://perf.snarkfest.net/compare-talos/index.html?oldRevs=7ad145f9b092&newRev=6be7cad95d97&submit=true is a wash
Waldo, is this bug a likely regressor?
Blocks: 843402
Flags: needinfo?(jwalden+bmo)
Summary: "Assertion failure: v.isUndefined()," → Assertion failure: v.isUndefined(), at jsarray.cpp
|
Assignee | |
Comment 3•12 years ago
|
||
Not in the least. :-) I'll take a look at this anyway, tho, since you've flagged me.
Flags: needinfo?(jwalden+bmo)
|
|
Assignee | |
Comment 4•12 years ago
|
||
I can't reproduce this on linux64, on that rev. It might be OS X-only. Probably a compiler bug, if so, and if this wasn't a false alarm.
|
|
Assignee | |
Comment 5•12 years ago
|
||
*Can* reproduce with clang, linux64, --enable-debug --enable-optimize. Good times.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•12 years ago
|
||
The fickle finger of fate points at bholley!
Attachment #725669 -
Flags: review?(bobbyholley+bmo)
|
|
Assignee | |
Comment 7•12 years ago
|
||
Looks like this dates to bug 778085, and the INVOKE_HANDLER_ON_PROTOTYPE stuff. (Incidentally this is why the ES6 proxy MOP puts the prototype-walking *not* in every hook. :-) ) Judging by the diff of the relevant revision on jsproxy.cpp, this is the only two-outparam method that needs fixing.
|
|
Assignee | |
Comment 8•12 years ago
|
||
Oh, and I overspoke when I said compiler bug. :-) It's undefined behavior, no compiler bug in sight. I guess making the optimizer have to consider whether to inline the Value methods perturbed it enough, for clang, to make behavior actually go visibly wrong.
|
||
Comment 9•12 years ago
|
||
Comment on attachment 725669 [details] [diff] [review]
Patch
Review of attachment 725669 [details] [diff] [review]:
-----------------------------------------------------------------
Should we just set *present to false at the beginning of the function? r=bholley either way.
Attachment #725669 -
Flags: review?(bobbyholley+bmo) → review+
|
|
Assignee | |
Comment 10•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/058f18f1426b
I prefer leaving on-success outparam setting til the last minute, ideally adjacent to the successful-return case that it accompanies. And this code should go away as we improve our objectops/proxy APIs to be more spec-like.
OS: Mac OS X → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla22
|
||
Comment 11•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•