Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 656914 - TI: Assertion failure: codeArray[offset], at ./jsanalyze.h:902
: TI: Assertion failure: codeArray[offset], at ./jsanalyze.h:902
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-05-13 07:34 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:40 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Christian Holler (:decoder) 2011-05-13 07:34:16 PDT
The following testcase asserts on TI revision 8fbd8f861465 (run with -m -n -a),
tested on 64 bit:

try {
  new MyObject;
} catch (e) {}

function MyObject() {
  return this;
Comment 1 Brian Hackett (:bhackett) 2011-05-13 07:56:03 PDT
Oops, regression from the 'new' robustness improvements/overhaul.  Had a TODO for this but forgot to actually do it, we weren't handling premature returns within the script nor uses of 'this' in conditional code.  Push below has a couple extra testcases.
Comment 2 Christian Holler (:decoder) 2013-01-14 08:40:37 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug656914.js.

Note You need to log in before you can comment on or make changes to this bug.