Last Comment Bug 690396 - TI: Assertion failure: hasSlot() && !hasMissingSlot(), at ../../jsscope.h:652
: TI: Assertion failure: hasSlot() && !hasMissingSlot(), at ../../jsscope.h:652
Status: RESOLVED FIXED
js-triage-needed
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All Linux
: -- critical (vote)
: ---
Assigned To: general
:
:
Mentors:
Depends on:
Blocks: langfuzz 684505
  Show dependency treegraph
 
Reported: 2011-09-29 09:22 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:10 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-09-29 09:22:52 PDT
The following test asserts on jaegermonkey revision ff51ddfdf5d1 (options -m -n):


function makeGenerator() {
  yield function generatorClosure() {};
}
var generator = makeGenerator();
findReferences(generator);
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-10-28 13:45:50 PDT
Related to bug 698074 ? (The testcase there doesn't involve yield)
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-10-28 15:23:08 PDT
This has the same regressing changeset as bug 698074, so fwiw, that bug might just be a dupe of this one.

The flags (-m -n) specified in comment 0 weren't needed either.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77570:ff51ddfdf5d1
user:        Brian Hackett
date:        Wed Sep 28 15:04:55 2011 -0700
summary:     Remove shape numbers and Shape::slotSpan, factor Shape getter/setter into BaseShape, bug 684505.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2011-10-28 15:53:51 PDT
As per decoder's request, this does not reproduce on m-c changeset 1c7e1db3645b.
Comment 4 Brian Hackett (:bhackett) 2011-10-29 23:00:00 PDT
Use of shape->slot() instead of shape->maybeSlot() in some debugging code called under findReferences.

https://hg.mozilla.org/projects/jaegermonkey/rev/e414b516fd92
Comment 5 Christian Holler (:decoder) 2013-01-19 14:10:21 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.