Closed Bug 595916 Opened 15 years ago Closed 15 years ago

TM: "Assertion failure: isFunctionFrame() && !isEvalFrame(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.80 KB, patch
dvander
: review+
Details | Diff | Splinter Review
(function () { try { eval("\ for each(let d in[0,0,0,0,0,0,0,0]) {\ for(let b in[0,0]) {}\ }\ ") } catch (e) {} })() asserts js debug shell on TM changeset f5e128da7b5f with -j at Assertion failure: isFunctionFrame() && !isEvalFrame(),
blocking2.0: --- → ?
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 53418:8721b595e7ab user: Luke Wagner date: Mon Aug 09 22:43:33 2010 -0700 summary: Bug 539144 - Make formal args a jit-time const offset from fp; rm argv/argc/thisv/script/callobj (r=brendan,dvander)
Blocks: 539144
Attached patch fixSplinter Review
mmmm, fuzzing!
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #475392 - Flags: review?(dvander)
Attachment #475392 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/8875da11ded0
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/8875da11ded0
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug595916.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: