Created attachment 577371 [details] stack f = eval("\ (function() {\ with({}) {\ yield\ }\ for(let d in[gc()])\ for(b in[0,function(){}]);\ })\ ") for (e in f()) {} asserts js debug shell on JM changeset 5546f57c9567 without any CLI flags at Assertion failure: isGlobal(), Doesn't seem to occur with m-c changeset bc48009a6bbb. (not sure if the following is correct): autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 79616:d6352d960dd2 parent: 79349:f951e9151626 parent: 79615:921e1db5cf11 user: Brian Hackett date: Wed Nov 02 09:23:25 2011 -0700 summary: Merge MC -> JM
I can't repro on the named revision and architecture.
(In reply to Brian Hackett (:bhackett) from comment #1) > I can't repro on the named revision and architecture. I can definitely still reproduce this on a 32-bit debug shell on JM rev 1e8c03ba91d0 without any CLI flags.
> I can definitely still reproduce this on a 32-bit debug shell on JM rev > 1e8c03ba91d0 without any CLI flags. There was some offline discussion about this being possibly platform and configuration-specific and being potentially fixed by bug 692274.
> There was some offline discussion about this being possibly platform and > configuration-specific and being potentially fixed by bug 692274. This still reproduces with the patch in comment 35 in bug 692274 applied on m-c rev 7ab478082ca7. Testing m-c because ObjShrink has landed on m-c. Luke, any ideas on why this still occurs? (when Brian and I last spoke, this doesn't really seem directly related to ObjShrink)
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #4) > Luke, any ideas on why this still occurs? (when Brian and I last spoke, this > doesn't really seem directly related to ObjShrink) Yeah, it's ObjShrink: 'priv' is a stale stack frame stored in the generator object, this code should use the live frame (on the stack), i.e., 'fp'.
Created attachment 579881 [details] [diff] [review] fix
(In reply to Luke Wagner [:luke] from comment #6) > Created attachment 579881 [details] [diff] [review] > fix (setting assignee to Luke since he has an r+ patch - ready for checkin!)
*** Bug 709929 has been marked as a duplicate of this bug. ***
The testcase in bug 709929 should also be landed.
Righto. Will land when m-i kerfuffle clears up; sorry for not landing earlier.
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #9) > The testcase in bug 709929 should also be landed. Here's another testcase which crashes debug shell that is fixed by the patch here: f = (function() { function shapeyConstructor(qvhvyl) { Object.defineProperty(qvhvyl, "", ({ e: true })); gc(); } for each(let x in [Number, Number, new Number]) { try { let g = shapeyConstructor(x); with({}) { with([]) yield } } catch (e) { } } }) for (i in f()) {}
https://hg.mozilla.org/integration/mozilla-inbound/rev/ebfc6414c4dc
https://hg.mozilla.org/mozilla-central/rev/ebfc6414c4dc
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
or
