Closed Bug 922118 Opened 10 years ago Closed 10 years ago

Assertion failure: !vp.isMagic(), at jsobj.cpp:4030

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
723 bytes, text/plain
Details
Patch
14.38 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 8f805d3ef377 (run with --fuzzing-safe --ion-eager):


var lfcode = new Array();
lfcode.push("1");
lfcode.push("");
lfcode.push("0");
lfcode.push("function arguments() { };");
lfcode.push("1");
lfcode.push("\
var GLOBAL_PROPERTIES = new Array();\
var i = 0;\
for ( p in this ) {\
  GLOBAL_PROPERTIES[i++] = p;\
  for ( i = 0; i < GLOBAL_PROPERTIES.length; i++ ) {\
      eval(GLOBAL_PROPERTIES[i]) \
  }\
}\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                case 0: evaluate(lfVarx); break;
                case 1: eval(lfVarx); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
    }
}
Let's see if JSBugMon works on this...
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/aca02ab3f2d3
user:        Jan de Mooij
date:        Thu Sep 12 11:14:20 2013 +0200
summary:     Bug 914341 - Fix BC to wrap primitive |this| in eval scripts. r=djvj

This iteration took 383.822 seconds to run.
Jan, is bug 914341 a likely regressor?
Blocks: 914341
Flags: needinfo?(jdemooij)
Keywords: regression
(In reply to Gary Kwong [:gkw] [:nth10sd] (still catching up on bugmail) from comment #4)
> Jan, is bug 914341 a likely regressor?

No it's not. I can see how that bug may confuse JSBugMon but this is an arguments-object issue. Investigating...
No longer blocks: 914341
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Component: JavaScript Engine → JavaScript Engine: JIT
Flags: needinfo?(jdemooij)
Regression from bug 743394.
Blocks: 743394
Attached patch PatchSplinter Review 
Ion checks whether the eval string has "arguments" in it but it should also check for "eval" because an inner eval can contain "arguments".
Attachment #815005 - Flags: review?(bhackett1024)
Attachment #815005 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/979ff52f1482
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.