Closed
Bug 882933
Opened 11 years ago
Closed 11 years ago
Assertion failure: script->treatAsRunOnce, at vm/Interpreter.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox-esr24 | --- | verified |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])
Attachments
(2 files)
|
5.84 KB,
text/plain
|
Details | |
|
1.56 KB,
patch
|
luke
:
review+
lsblakk
:
approval-mozilla-esr24+
|
Details | Diff | Splinter Review |
(s=>7)() asserts js debug shell on m-c changeset b197bed90a98 with --no-ti at Assertion failure: script->treatAsRunOnce, at vm/Interpreter.cpp (This still reproduces on tip on mozilla-inbound) This is blowing up jsfunfuzz :-/
|
Reporter | |
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/0a5f190b9f9b user: Brian Hackett date: Fri May 31 16:22:34 2013 -0600 summary: Bug 864218 - Improve performance when accessing variables defined in run-once closures, r=luke,jandem.
Blocks: 864218
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 2•11 years ago
|
||
Cloning a script doesn't preserve the treatAsRunOnce bit on the script, though not doing so won't really lead to anything bad later, except maybe some unnecessary deoptimization. The arrow function's script gets deep cloned whenever the arrow lambda is created, which is pretty bad for perf and is also fixed by this patch.
Assignee: general → bhackett1024
Attachment #766458 -
Flags: review?(luke)
Flags: needinfo?(bhackett1024)
|
|
||
Updated•11 years ago
|
Attachment #766458 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 3•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/07b41e0cded6
|
||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/07b41e0cded6
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
Reporter | |
Comment 5•11 years ago
|
||
I recently had time to migrate the fuzzing harness from ESR 17 to ESR 24. It will be nice to backport this fuzzblocker, thanks!
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 6•11 years ago
|
||
Comment on attachment 766458 [details] [diff] [review] patch [Approval Request Comment] See comment 5
Attachment #766458 -
Flags: approval-mozilla-esr24?
Flags: needinfo?(bhackett1024)
|
||
Updated•10 years ago
|
Attachment #766458 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr24/rev/70cf6a359cb4
status-firefox-esr24:
--- → fixed
|
|
Reporter | |
Comment 9•10 years ago
|
||
(In reply to Matt Wobensmith from comment #8) > Gary, can you verify that this was fixed? Thanks. VERIFIED fixed, tested on rev cafe909f7e07.
Status: RESOLVED → VERIFIED
Flags: needinfo?(gary)
|
|
Reporter | |
Comment 10•10 years ago
|
||
And also verified on esr24 branch rev 206679523c3c.
You need to log in
before you can comment on or make changes to this bug.
Description
•