Last Comment Bug 676486 - TM: Assertion failure: hasArgs(), at vm/Stack-inl.h:271
: TM: Assertion failure: hasArgs(), at vm/Stack-inl.h:271
Status: RESOLVED FIXED
[js-triage-needed][inbound]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla8
Assigned To: Luke Wagner [:luke]
:
Mentors:
Depends on: 674843
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-08-04 03:03 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:46 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix and test (1.45 KB, patch)
2011-08-04 10:17 PDT, Luke Wagner [:luke]
jwalden+bmo: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2011-08-04 03:03:35 PDT
The following testcase asserts on m-i revision 1d1c771a3aba (run with -j -m), tested on 64 bit.


function test() {
    var proxy = Proxy.createFunction(
        {},
    function() { 
        return (function () { with (arguments) { eval("foo") } })(); 
    });
    assertEq((new proxy()).origin, "new");
}
test();


The first bad revision is:
changeset:   73673:8bff20b3f8db
user:        Luke Wagner
date:        Tue Aug 02 09:21:51 2011 -0700
summary:     Bug 674843 - Censor pushed-but-not-active InvokeSessionGuard frames from the debugger's view (r=waldo)
Comment 1 Luke Wagner [:luke] 2011-08-04 10:15:27 PDT
It looks like this is debug-only and AFAICS, it wouldn't even be possible except for the bug described in bug 670071 comment 2.
Comment 2 Luke Wagner [:luke] 2011-08-04 10:17:54 PDT
Created attachment 550736 [details] [diff] [review]
fix and test

Thanks for the reduced test case!
Comment 4 Marco Bonardo [::mak] 2011-08-06 03:00:53 PDT
http://hg.mozilla.org/mozilla-central/rev/672300c1bf65
Comment 5 Christian Holler (:decoder) 2013-01-14 08:46:03 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug676486.js.

Note You need to log in before you can comment on or make changes to this bug.