Closed Bug 676486 Opened 10 years ago Closed 10 years ago

TM: Assertion failure: hasArgs(), at vm/Stack-inl.h:271

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla8

People

(Reporter: decoder, Assigned: luke)

References

Details

(Keywords: assertion, testcase, Whiteboard: [js-triage-needed][inbound])

Attachments

(1 file)

The following testcase asserts on m-i revision 1d1c771a3aba (run with -j -m), tested on 64 bit.


function test() {
    var proxy = Proxy.createFunction(
        {},
    function() { 
        return (function () { with (arguments) { eval("foo") } })(); 
    });
    assertEq((new proxy()).origin, "new");
}
test();


The first bad revision is:
changeset:   73673:8bff20b3f8db
user:        Luke Wagner
date:        Tue Aug 02 09:21:51 2011 -0700
summary:     Bug 674843 - Censor pushed-but-not-active InvokeSessionGuard frames from the debugger's view (r=waldo)
It looks like this is debug-only and AFAICS, it wouldn't even be possible except for the bug described in bug 670071 comment 2.
Attached patch fix and testSplinter Review
Thanks for the reduced test case!
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #550736 - Flags: review?(jwalden+bmo)
Attachment #550736 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/672300c1bf65
Whiteboard: js-triage-needed → [js-triage-needed][inbound]
http://hg.mozilla.org/mozilla-central/rev/672300c1bf65
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug676486.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.