Closed Bug 855088 Opened 11 years ago Closed 11 years ago

Assertion failure: !val.isMagic(), at jsobj.cpp:4647

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,origRev=c9bf19d37fe0,ignore])

Attachments

(1 file)

patch
1.60 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following testcase asserts on baseline compiler branch revision 9b49708949da (run with ):


(function (y) {
    arguments.y = 2;
    with (0) var arguments=5;    
})(1);
Group: core-security
I can reproduce this on mozilla-inbound, revision 61b8a5101c5b.

Let's see if I can tell JSBugMon to bisect this..
No longer blocks: BaselineFuzz
Summary: BaselineCompiler: Assertion failure: !val.isMagic(), at jsobj.cpp:4647 → Assertion failure: !val.isMagic(), at jsobj.cpp:4647
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect,origRev=c9bf19d37fe0]
Whiteboard: [jsbugmon:update,bisect,origRev=c9bf19d37fe0] → [jsbugmon:update,origRev=c9bf19d37fe0]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122738:e3b899354a6f
user:        Brian Hackett
date:        Wed Feb 20 04:54:13 2013 -0700
summary:     Bug 842522 - Don't force construction of arguments objects in the presence of dynamic name accesses, r=luke.

This iteration took 151.910 seconds to run.
Needinfo from Brian based on comment 2 :)
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
Declaring a variable within a 'with' statement causes that variable to disappear into a black hole, showing up in neither the containing function's lexical dependencies nor definitions, despite the fact that it is always defined.  This patch hacks around that.  It would be nice if this logic could go in checkFunctionArguments like the related stuff, but that's difficult to do with no record of the new binding recorded anywhere.
Attachment #735761 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Comment on attachment 735761 [details] [diff] [review]
patch

I keep hoping the entire way we deal with 'with' will be rewritten...
Attachment #735761 - Flags: review?(luke) → review+
Whiteboard: [jsbugmon:update,origRev=c9bf19d37fe0] → [jsbugmon:update,origRev=c9bf19d37fe0,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d989eab66df4).
https://hg.mozilla.org/mozilla-central/rev/e329fecc259f
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Depends on: 861841
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: