Closed Bug 676486 Opened 14 years ago Closed 14 years ago

TM: Assertion failure: hasArgs(), at vm/Stack-inl.h:271

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: decoder, Assigned: luke)

References

Details

(Keywords: assertion, testcase, Whiteboard: [js-triage-needed][inbound])

Attachments

(1 file)

fix and test
1.45 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
The following testcase asserts on m-i revision 1d1c771a3aba (run with -j -m), tested on 64 bit. function test() { var proxy = Proxy.createFunction( {}, function() { return (function () { with (arguments) { eval("foo") } })(); }); assertEq((new proxy()).origin, "new"); } test(); The first bad revision is: changeset: 73673:8bff20b3f8db user: Luke Wagner date: Tue Aug 02 09:21:51 2011 -0700 summary: Bug 674843 - Censor pushed-but-not-active InvokeSessionGuard frames from the debugger's view (r=waldo)
It looks like this is debug-only and AFAICS, it wouldn't even be possible except for the bug described in bug 670071 comment 2.
Attached patch fix and testSplinter Review
Thanks for the reduced test case!
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #550736 - Flags: review?(jwalden+bmo)
Attachment #550736 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/672300c1bf65
Whiteboard: js-triage-needed → [js-triage-needed][inbound]
http://hg.mozilla.org/mozilla-central/rev/672300c1bf65
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug676486.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: