Closed
Bug 1235477
Opened 8 years ago
Closed 8 years ago
Assertion failure: stub->monitorsThis() || *GetNextPc(pc) == JSOP_CHECKTHIS || *GetNextPc(pc) == JSOP_CHECKRETURN, at js/src/jit/SharedIC.cpp:4737
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1234717
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 7c83da46ea74 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
(function() {
{
let x = f();
function f() {
x;
}
}
})()
Backtrace:
0 js-dbg-64-dm-darwin-7c83da46ea74 0x00000001003e2b6c js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 1980 (SharedIC.cpp:4735)
1 ??? 0x0000000103f03f57 0 + 4361043799
The patch in bug 1234164 comment 4 fixes the issue in that bug but does not fix this one.
|
Reporter | |
Comment 1•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/73c94ff300b2 user: Shu-yu Guo date: Wed Dec 09 07:52:58 2015 -0800 summary: Bug 1071646 - Make functions block-scoped in JS and implement Annex B semantics for compatibility. (r=jorendorff) Shu-yu, is bug 1071646 a likely regressor?
Blocks: 1071646
Flags: needinfo?(shu)
|
||
Comment 2•8 years ago
|
||
I'm pretty sure this is a dup of bug 1234164.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
|
||
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•