Closed Bug 678211 Opened 14 years ago Closed 14 years ago

Assertion failure: isScriptFrame(), at ../vm/Stack.h:538 with dummy frame

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

v1
1.14 KB, patch
dvander
: review+
Details | Diff | Splinter Review
The following code crashes on jsdbg2 branch (revision 48e43edc8834, options -j -m -a): var g = newGlobal('new-compartment'); var N = g.N = 9; g.eval("function f(i) { if (i < N) f(i + 1); }"); var dbg = Debugger(g); var arr = []; dbg.onEnterFrame = function (frame) { var i; var j = i; for (; frame; frame = frame.older) this . onEnterFrame(arr[j--], frame); }; g.f(0); Not sure if this might be related to bug 678086, the assert is similar but not the same.
This also exists in mozilla-central (that is, even without jsdbg2). With -j, this asserts the same way: var g = newGlobal('new-compartment'); g.eval("function f(n) { for (var i = 0; i < n; i++) f(0); }"); g.f(10); I think this will be pretty easy to patch. Trying it now.
Summary: [jsdbg2] Assertion failure: isScriptFrame(), at ../vm/Stack.h:538 → Assertion failure: isScriptFrame(), at ../vm/Stack.h:538 with dummy frame
Attached patch v1Splinter Review
Assignee: general → jorendorff
Attachment #552535 - Flags: review?(dvander)
Attachment #552535 - Flags: review?(dvander) → review+
http://hg.mozilla.org/mozilla-central/rev/d71ffe484d24
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: