TI: Assertion failure: isScriptFrame(), at ../jsinterp.h:329

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
The following testcase asserts on TI revision 09cce9915b80 (run with -m -n -a),
tested on 64 bit:

const HAVE_TM = 'tracemonkey' in this;
const HOTLOOP = HAVE_TM ? tracemonkey : 8;
with(evalcx(''))(function eval() {}, this.__defineGetter__("x", Function));
var i = 0;
var o;
new(x);



I'm not sure if it's valid due to the evalcx call in there.
When invoking a constructor on a dummy frame we would query the current frame's script to check whether to create a unique type object for the result.  Needed a guard to check the frame actually has a script.

http://hg.mozilla.org/projects/jaegermonkey/rev/f85a663ce75a
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Blocks: 676763
(Reporter)

Comment 2

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug653262.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.