Closed
Bug 973566
Opened 10 years ago
Closed 10 years ago
[jsdbg2] Assertion failure: offsetsv.isUndefined(), at vm/Debugger.cpp:3381
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
Tracking | Status | |
---|---|---|
firefox30 | --- | affected |
People
(Reporter: decoder, Assigned: jorendorff)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(3 files)
426 bytes,
text/plain
|
Details | |
3.92 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
3.17 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 2bddbd180d2d (run with --fuzzing-safe): Object.prototype[1] = 'peek'; var g = newGlobal(); var dbg = Debugger(g); dbg.onEnterFrame = function (frame) { var lines = frame.script.getAllOffsets(); }; g.eval("1;");
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
status-firefox30:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → jorendorff
Assignee | ||
Comment 2•10 years ago
|
||
Attachment #8377725 -
Flags: review?(jimb)
Assignee | ||
Comment 3•10 years ago
|
||
Change two other call sites to use the new, simpler js::HasOwnProperty API. (The rest make use of the Shape outparam at least.)
Attachment #8377736 -
Flags: review?(jimb)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 4•10 years ago
|
||
JSBugMon: Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140204131033" and the hash "326a283714a8". The "bad" changeset has the timestamp "20140204132432" and the hash "2c84be838689". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=326a283714a8&tochange=2c84be838689
Comment 5•10 years ago
|
||
Comment on attachment 8377725 [details] [diff] [review] bug-973566-Debugger-v1.patch Review of attachment 8377725 [details] [diff] [review]: ----------------------------------------------------------------- In other words, "Don't check the prototype chain"? Seems reasonable. ::: js/src/vm/Debugger.cpp @@ -3383,5 @@ > /* > * Create an empty offsets array for this line. > * Store it in the result array. > */ > - RootedId id(cx); Is the removal of this variable just an optimization, or is it needed for correctness in some way that I am not noticing? If the removal is just an optimization, then let's leave the declaration in in, because it makes it much clearer that the two ids are unrelated.
Attachment #8377725 -
Flags: review?(jimb) → review+
Comment 6•10 years ago
|
||
Comment on attachment 8377736 [details] [diff] [review] bug-973566-part-2-followup-v1.patch Review of attachment 8377736 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsobj.h @@ +1286,5 @@ > owner->getDenseElements() + clampedStart, "element"); > } > #endif > > +/* Determine whether obj has an own property with the given id. */ nit: If you're going to comment at all, why not actually spell it out? "Set |*resultp| to indicate whether |obj| has an own property named |id|."
Attachment #8377736 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5d7c2275e346 https://hg.mozilla.org/integration/mozilla-inbound/rev/b130f02b5151
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5d7c2275e346 https://hg.mozilla.org/mozilla-central/rev/b130f02b5151
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in
before you can comment on or make changes to this bug.
Description
•