Closed
Bug 550490
Opened 15 years ago
Closed 15 years ago
JM: Crash [@ js::jsl_GetUpvar] or "Assertion failure: fp->script, at ../jsinterp.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords)
Crash Data
function a() {
function f() {}
this.d = function() {
f
}
} (function() {
var a2, x
a2 = new a;
d = (function(){x * 1})();
})()
crashes js opt shell on JM tip with -m at js::jsl_GetUpvar and asserts debug shell on JM tip with -m at Assertion failure: fp->script, at ../jsinterp.cpp:1829
This occurs very frequently and because it occurs in jsfunfuzz code, blocks fuzzing.
Occurs in changeset http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/024479e57d25
but not in changeset http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/4c2029c3e4b8
|
Reporter | |
Comment 1•15 years ago
|
||
(In reply to comment #0)
> but not in changeset
> http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/4c2029c3e4b8
Ignore this part of the regression window, I screwed something up. Still seems to occur in http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/3671d1e45072
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Explanation: we were running the display update code twice, once in js_Interpret and once in InlineCall().
|
||
Updated•14 years ago
|
Crash Signature: [@ js::jsl_GetUpvar]
|
||
Comment 4•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug550490.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•