Closed
Bug 716713
Opened 14 years ago
Closed 14 years ago
"Assertion failure: ss->top >= 2," or "Assertion failure: top != 0," or "Assertion failure: newtop <= oldtop,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla12
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: js-triage-done)
Attachments
(2 files)
|
5.20 KB,
text/plain
|
Details | |
|
986 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
f = (function() {
@o()
}).g()
asserts js debug shell on m-c changeset c713003d3226 without any CLI arguments at Assertion failure: ss->top >= 2,
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 84036:7ab4f1ebc7cc
user: Brian Hackett
date: Mon Jan 09 06:29:50 2012 -0800
summary: Backout 54cd89b0f1fa (bug 712714 backout). Talos will probably report fake regressions for this patch, do not back out for this reason.
Just to be sure:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 83898:78d17e22a223
parent: 83892:0ac1cbff2a67
user: Brian Hackett
date: Thu Jan 05 11:08:38 2012 -0800
summary: Remove JOF_CALLOP, bug 712714. r=dvander
|
Reporter | |
Comment 1•14 years ago
|
||
Another testcase asserting identically as the one in comment 0:
uneval(function() {
@o()
})
A variant asserts at:
uneval(function() {
for (b in x) {
@o()
}
})
Assertion failure: top != 0,
Summary: "Assertion failure: ss->top >= 2," → "Assertion failure: ss->top >= 2," or "Assertion failure: top != 0,"
|
|
Reporter | |
Comment 2•14 years ago
|
||
(function() {
for (let b in []) {
( * )()
}
}).f()
A variant that does not involve "@" asserts at Assertion failure: newtop <= oldtop,
Summary: "Assertion failure: ss->top >= 2," or "Assertion failure: top != 0," → "Assertion failure: ss->top >= 2," or "Assertion failure: top != 0," or "Assertion failure: newtop <= oldtop,"
|
||
Comment 3•14 years ago
|
||
Both (*) and (@o) are E4X things, fwiw.
|
Assignee | |
Comment 5•14 years ago
|
||
JSOP_CALLXMLNAME still pushes two values, and needed a placeholder value when decompiling.
Assignee: general → bhackett1024
Attachment #587566 -
Flags: review?(dvander)
|
|
||
Updated•14 years ago
|
Attachment #587566 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 6•14 years ago
|
||
|
|
Reporter | |
Comment 7•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: js-triage-needed → js-triage-done
|
||
Updated•14 years ago
|
Target Milestone: --- → mozilla12
|
||
Comment 8•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/e4x/bug716713.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•