Closed Bug 935331 Opened 11 years ago Closed 11 years ago

Assertion failure: is<CallObject>() || is<ClonedBlockObject>(), at ../vm/ScopeObject.h:771 or Assertion failure: type() != NAMED_LAMBDA, at vm/ScopeObject.cpp:74 or Crash on Heap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28

People

(Reporter: decoder, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
1.54 KB, text/plain
Details 
The following testcase asserts on mozilla-central revision 770de5942471 (run with --fuzzing-safe):


function test() {
var a = {y: 1};
function B(){}
B.prototype.__defineSetter__('x', function setx(val) {
  'use strict';
  try {
    eval('function foo() { var arguments = 42;}');
  } catch (index) {
    return (index instanceof a);
  }
});
var b = new B;
var arr = [a, b];
for (var obj of arr)
  obj.x = 2;
} test();
Keywords: crash
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/495a9c210b91
user:        Jan de Mooij
date:        Mon Nov 04 11:40:24 2013 +0100
summary:     Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett

This iteration took 0.962 seconds to run.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5446435cc94a).
This was fixed by backing out bug 933798.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Keywords: regression
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
Assignee: general → jdemooij
Blocks: 933798
Target Milestone: --- → mozilla28
Keywords: verifyme
With Nightly js shell from 2013-11-05 on Ubuntu 13.10 64bit, I get: "Segmentation fault (core dumped)"
With FF 28 beta 2 shell I get: "TypeError: invalid 'instanceof' operand a". Tried on 2 different machines.
Any idea on this? Thanks in advance!
Flags: needinfo?(jdemooij)
(In reply to Alexandra Lucinet, QA Mentor [:adalucinet] from comment #5)
> With Nightly js shell from 2013-11-05 on Ubuntu 13.10 64bit, I get:
> "Segmentation fault (core dumped)"
> With FF 28 beta 2 shell I get: "TypeError: invalid 'instanceof' operand a".
> Tried on 2 different machines.
> Any idea on this? Thanks in advance!

The regressing changeset seems to have been backed out as per comment 4, so not crashing seems to be correct.
And "invalid 'instanceof' operand" seems reasonable; the rhs should be a (constructor) function.
Status: RESOLVED → VERIFIED
Flags: needinfo?(jdemooij)
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: