Last Comment Bug 653262 - TI: Assertion failure: isScriptFrame(), at ../jsinterp.h:329
: TI: Assertion failure: isScriptFrame(), at ../jsinterp.h:329
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-04-27 15:11 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:45 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2011-04-27 15:11:17 PDT
The following testcase asserts on TI revision 09cce9915b80 (run with -m -n -a),
tested on 64 bit:

const HAVE_TM = 'tracemonkey' in this;
const HOTLOOP = HAVE_TM ? tracemonkey : 8;
with(evalcx(''))(function eval() {}, this.__defineGetter__("x", Function));
var i = 0;
var o;

I'm not sure if it's valid due to the evalcx call in there.
Comment 1 User image Brian Hackett (:bhackett) 2011-05-01 18:05:55 PDT
When invoking a constructor on a dummy frame we would query the current frame's script to check whether to create a unique type object for the result.  Needed a guard to check the frame actually has a script.
Comment 2 User image Christian Holler (:decoder) 2013-01-14 08:45:27 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug653262.js.

Note You need to log in before you can comment on or make changes to this bug.