Closed
Bug 732857
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: isArgument(), at ion/LIR-inl.h:73
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase)
The following testcase asserts on ionmonkey revision 1fd6c40d3852 (run with --ion -n):
function TestCase(n, d, e, a) {};
this.__proto__ = [];
var msPerDay = 86400000;
var TIME_1900 = -2208988800000;
function TimeFromYear( y ) {
return ( msPerDay * DayFromYear(y) );
}
function DayFromYear( y ) {
return ( 365*(y-1970) +
Math.floor((y-1601)/400) );
}
function YearFromTime( t ) {
var sign = ( t < 0 ) ? -1 : 1;
var year = ( sign < 0 ) ? 1969 : 1970;
return ( year );
}
var SECTION = "15.9.5.10";
addTestCase( TIME_1900 );
function addTestCase( t ) {
var start = TimeFromYear(YearFromTime(t));
var stop = TimeFromYear(YearFromTime(t) + 1);
for (var d = start; d < stop; d += msPerDay) {
new TestCase( SECTION,
(new Date( SECTION ? "Failed" : prototype += "'abc'.search(new RegExp('^'))") ).getDate() );
}
}The bug here is that an LPassArg leaked into a snapshot. Haven't looked further yet. Somehow we didn't unwrap.
|
Reporter | |
Comment 2•12 years ago
|
||
Doesn't seem to reproduce for me on a more recent build. Gary, can you bisect if/when this was fixed?
|
||
Comment 3•12 years ago
|
||
Probably fixed by bug 723333. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 91137:5108b08c2d54 user: Sean Stangl date: Wed Mar 21 17:25:43 2012 -0700 summary: Bug 723333 - Handle JSOP_NEW without callVM(). r=dvander
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 4•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•