|
5.40 KB,
text/plain
|
Details | |
|
1.70 KB,
patch
|
bhackett
:
review+
|
Details | Diff | Splinter Review |
Created attachment 577371 [details]
stack
f = eval("\
(function() {\
with({}) {\
yield\
}\
for(let d in[gc()])\
for(b in[0,function(){}]);\
})\
")
for (e in f()) {}
asserts js debug shell on JM changeset 5546f57c9567 without any CLI flags at Assertion failure: isGlobal(),
Doesn't seem to occur with m-c changeset bc48009a6bbb.
(not sure if the following is correct):
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 79616:d6352d960dd2
parent: 79349:f951e9151626
parent: 79615:921e1db5cf11
user: Brian Hackett
date: Wed Nov 02 09:23:25 2011 -0700
summary: Merge MC -> JM
|
||
Comment 1•6 years ago
|
||
I can't repro on the named revision and architecture.
|
(Reporter) | |
Comment 2•6 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #1) > I can't repro on the named revision and architecture. I can definitely still reproduce this on a 32-bit debug shell on JM rev 1e8c03ba91d0 without any CLI flags.
|
|
(Reporter) | |
Comment 3•6 years ago
|
||
> I can definitely still reproduce this on a 32-bit debug shell on JM rev > 1e8c03ba91d0 without any CLI flags. There was some offline discussion about this being possibly platform and configuration-specific and being potentially fixed by bug 692274.
|
|
(Reporter) | |
Comment 4•6 years ago
|
||
> There was some offline discussion about this being possibly platform and > configuration-specific and being potentially fixed by bug 692274. This still reproduces with the patch in comment 35 in bug 692274 applied on m-c rev 7ab478082ca7. Testing m-c because ObjShrink has landed on m-c. Luke, any ideas on why this still occurs? (when Brian and I last spoke, this doesn't really seem directly related to ObjShrink)
|
|
(Assignee) | |
Comment 5•6 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #4) > Luke, any ideas on why this still occurs? (when Brian and I last spoke, this > doesn't really seem directly related to ObjShrink) Yeah, it's ObjShrink: 'priv' is a stale stack frame stored in the generator object, this code should use the live frame (on the stack), i.e., 'fp'.
|
|
(Assignee) | |
Comment 6•6 years ago
|
||
Created attachment 579881 [details] [diff] [review] fix
|
|
||
Updated•6 years ago
|
||
|
|
(Reporter) | |
Comment 7•6 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #6) > Created attachment 579881 [details] [diff] [review] > fix (setting assignee to Luke since he has an r+ patch - ready for checkin!)
|
|
(Reporter) | |
Comment 9•6 years ago
|
||
The testcase in bug 709929 should also be landed.
|
|
(Assignee) | |
Comment 10•6 years ago
|
||
Righto. Will land when m-i kerfuffle clears up; sorry for not landing earlier.
|
|
(Reporter) | |
Comment 11•6 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #9) > The testcase in bug 709929 should also be landed. Here's another testcase which crashes debug shell that is fixed by the patch here: f = (function() { function shapeyConstructor(qvhvyl) { Object.defineProperty(qvhvyl, "", ({ e: true })); gc(); } for each(let x in [Number, Number, new Number]) { try { let g = shapeyConstructor(x); with({}) { with([]) yield } } catch (e) { } } }) for (i in f()) {}
|
|
(Assignee) | |
Comment 12•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ebfc6414c4dc
|
||
Comment 13•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ebfc6414c4dc
|
|
(Reporter) | |
Comment 14•5 years ago
|
||
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Description
•