Closed Bug 587434 Opened 15 years ago Closed 15 years ago

JM: IsSaneThisObject assertion failure on CALLXMLNAME

Tracking

()

Status:

VERIFIED FIXED

Tracking Flags:

Tracking

Status

blocking2.0

---

betaN+

People

(Reporter: gkw, Assigned: cdleary)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Fix CALLXMLNAME 15 years ago Chris Leary [:cdleary] (not checking bugmail) 1.46 KB, patch	jorendorff : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

15 years ago

(function() { function::a(eval("false"), true); function a({}) {} })() asserts js debug shell on JM changeset 89b775191b9d without -m nor -j at Assertion failure: IsSaneThisObject(vp[1].toObject()), at ../jsinterp.cpp:4734

Chris Leary [:cdleary] (not checking bugmail)

Assignee

Updated

•

15 years ago

Assignee: general → cdleary

Status: NEW → ASSIGNED

Robert Sayre

Updated

•

15 years ago

blocking2.0: --- → beta5+

Robert Sayre

Updated

•

15 years ago

blocking2.0: beta5+ → betaN+

Chris Leary [:cdleary] (not checking bugmail)

Assignee

Comment 1

•

15 years ago

Attached patch Fix CALLXMLNAME — Details — Splinter Review

Slow push thisv on CALLXMLNAME checks to make sure we're not pushing a call object onto the stack, sets |this| to NULL.

Attachment #468830 - Flags: review?(jorendorff)

Jason Orendorff [:jorendorff]

Updated

•

15 years ago

Attachment #468830 - Flags: review?(jorendorff) → review+

Chris Leary [:cdleary] (not checking bugmail)

Assignee

Comment 2

•

15 years ago

http://hg.mozilla.org/tracemonkey/rev/9ce0b72525ba

Summary: JM: "Assertion failure: IsSaneThisObject(vp[1].toObject())," → JM: IsSaneThisObject assertion failure on CALLXMLNAME

Whiteboard: fixed-in-tracemonkey

David Anderson [:dvander] - inactive, e-mail if emergency

Updated

•

15 years ago

Status: ASSIGNED → RESOLVED

Closed: 15 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Comment 3

•

12 years ago

A testcase for this bug was automatically identified at js/src/tests/e4x/Regress/regress-587434.js.

Flags: in-testsuite+

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 4

•

12 years ago

Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.

Status: RESOLVED → VERIFIED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

JM: IsSaneThisObject assertion failure on CALLXMLNAME

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Assigned: cdleary)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Updated

Comment 1

Updated

Comment 2

Updated

Comment 3

Comment 4

Attachment

General

Description

File Name

Content Type