Closed
Bug 1122768
Opened 9 years ago
Closed 9 years ago
Assertion failure: !scope->is<ScopeObject>() || (scope->is<DynamicWithObject>() && !scope->as<DynamicWithObject>().isSyntactic()), at vm/Stack.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1122335
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
5.28 KB,
text/plain
|
Details |
// jsfunfuzz-generated code
options('strict_mode')
// Randomly chosen test: js/src/jit-test/tests/debug/Object-evalInGlobal-03.js
n = (new Debugger).addDebuggee(newGlobal());
x = n.evalInGlobal('(function () {})').return;
x.call()
asserts js debug shell on m-c changeset 5438e3f74848 with --fuzzing-safe --no-threads --ion-eager --no-baseline at Assertion failure: !scope->is<ScopeObject>() || (scope->is<DynamicWithObject>() && !scope->as<DynamicWithObject>().isSyntactic()), at vm/Stack.cpp.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:
http://hg.mozilla.org/mozilla-central/file/5438e3f74848/js/src/jit-test/tests/debug/Object-evalInGlobal-03.js
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/fb00dedf441c
user: Shu-yu Guo
date: Wed Jan 14 22:57:35 2015 -0800
summary: Bug 963879 - Part 1: Overhaul ScopeIter and StaticScopeIter to share iteration logic and to go through evals. (r=luke)
Shu-yu, is bug 963879 a likely regressor?Flags: needinfo?(shu)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x218c5, 0x00000001007e5e09 js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`AssertDynamicScopeMatchesStaticScope(cx=<unavailable>, script=<unavailable>, scope=<unavailable>) + 1833 at Stack.cpp:173, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001007e5e09 js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`AssertDynamicScopeMatchesStaticScope(cx=<unavailable>, script=<unavailable>, scope=<unavailable>) + 1833 at Stack.cpp:173
frame #1: 0x00000001007e533b js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`js::InterpreterFrame::prologue(this=0x000000010489d2d0, cx=0x0000000101d021d0) + 443 at Stack.cpp:212
frame #2: 0x000000010075becd js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`Interpret(cx=0x0000000101d021d0, state=0x00007fff5fbfde90) + 1053 at Interpreter.cpp:1508
frame #3: 0x000000010075ba96 js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`js::RunScript(cx=0x0000000101d021d0, state=0x00007fff5fbfde90) + 342 at Interpreter.cpp:448
frame #4: 0x000000010074af3b js-dbg-opt-64-dm-nsprBuild-darwin-5438e3f74848`js::Invoke(cx=0x0000000101d021d0, args=CallArgs at 0x00007fff5fbfdf10, construct=<unavailable>) + 539 at Interpreter.cpp:517
(lldb)
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•