TM: Assertion failure: hasArgs(), at vm/Stack-inl.h:271

RESOLVED FIXED in mozilla8

Status

()

defect
--
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: decoder, Assigned: luke)

Tracking

(Blocks 1 bug, {assertion, testcase})

Trunk
mozilla8
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js-triage-needed][inbound])

Attachments

(1 attachment)

The following testcase asserts on m-i revision 1d1c771a3aba (run with -j -m), tested on 64 bit.


function test() {
    var proxy = Proxy.createFunction(
        {},
    function() { 
        return (function () { with (arguments) { eval("foo") } })(); 
    });
    assertEq((new proxy()).origin, "new");
}
test();


The first bad revision is:
changeset:   73673:8bff20b3f8db
user:        Luke Wagner
date:        Tue Aug 02 09:21:51 2011 -0700
summary:     Bug 674843 - Censor pushed-but-not-active InvokeSessionGuard frames from the debugger's view (r=waldo)
It looks like this is debug-only and AFAICS, it wouldn't even be possible except for the bug described in bug 670071 comment 2.
Posted patch fix and testSplinter Review
Thanks for the reduced test case!
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #550736 - Flags: review?(jwalden+bmo)
Blocks: 676763
Attachment #550736 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/672300c1bf65
Whiteboard: js-triage-needed → [js-triage-needed][inbound]
http://hg.mozilla.org/mozilla-central/rev/672300c1bf65
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug676486.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.