Closed
Bug 745360
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ js::ArgumentsObject::createUnexpected] or [@ js::StackFrame::isNonEvalFunctionFrame] or "Assertion failure: isInterpreted(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla14
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [Leave open after IonMonkey merge] [jsbugmon:update,ignore])
Crash Data
Attachments
(4 files)
newGlobal('new-compartment').eval("eval.arguments")
asserts js debug shell on IonMonkey changeset e78cfa69741e without any CLI arguments at Assertion failure: isInterpreted(),
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 91388:2386dfe53a85
user: Nicolas Pierron
date: Fri Mar 23 20:30:57 2012 -0700
summary: Rewrite fun_getProperty to handle Ion Frames (Bug 732853 part 2, r=dvander)
|
Reporter | |
Comment 1•13 years ago
|
||
Crashes at js::StackFrame::isNonEvalFunctionFrame on mozilla-inbound rev 662c163ac088 instead.
|
|
Reporter | |
Updated•13 years ago
|
Crash Signature: [@ js::StackFrame::isNonEvalFunctionFrame]
Summary: IonMonkey: "Assertion failure: isInterpreted()," → Crash [@ js::StackFrame::isNonEvalFunctionFrame] or "Assertion failure: isInterpreted(),"
|
|
Reporter | |
Comment 2•13 years ago
|
||
Crashes opt shell at js::ArgumentsObject::createUnexpected too. Seems to be a null deref.
|
|
Reporter | |
Updated•13 years ago
|
Crash Signature: [@ js::StackFrame::isNonEvalFunctionFrame] → [@ js::StackFrame::isNonEvalFunctionFrame]
[@ js::ArgumentsObject::createUnexpected]
Summary: Crash [@ js::StackFrame::isNonEvalFunctionFrame] or "Assertion failure: isInterpreted()," → Crash [@ js::ArgumentsObject::createUnexpected] or [@ js::StackFrame::isNonEvalFunctionFrame] or "Assertion failure: isInterpreted(),"
|
|
Reporter | |
Comment 3•13 years ago
|
||
The mozilla-inbound regression is likely to be bug 744670.
Blocks: 744670
|
Assignee | |
Comment 4•13 years ago
|
||
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Attachment #614957 -
Flags: review?(luke)
|
|
||
Updated•13 years ago
|
Attachment #614957 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 5•13 years ago
|
||
Summary: Crash [@ js::ArgumentsObject::createUnexpected] or [@ js::StackFrame::isNonEvalFunctionFrame] or "Assertion failure: isInterpreted()," → IonMonkey: Crash [@ js::ArgumentsObject::createUnexpected] or [@ js::StackFrame::isNonEvalFunctionFrame] or "Assertion failure: isInterpreted(),"
Whiteboard: [Leave open after IonMonkey merge]
|
||
Comment 6•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
|
|
Assignee | |
Comment 7•13 years ago
|
||
This bug should not be closed because it also affects IonMonkey. (see title & whiteboard)
Thanks for your concern.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
||
Updated•13 years ago
|
Whiteboard: [Leave open after IonMonkey merge] → [Leave open after IonMonkey merge][jsbugmon:update]
|
|
||
Comment 8•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0e6d579045c8).
|
|
||
Updated•13 years ago
|
Crash Signature: [@ js::StackFrame::isNonEvalFunctionFrame]
[@ js::ArgumentsObject::createUnexpected] → [@ js::StackFrame::isNonEvalFunctionFrame]
[@ js::ArgumentsObject::createUnexpected]
Whiteboard: [Leave open after IonMonkey merge][jsbugmon:update] → [Leave open after IonMonkey merge] [jsbugmon:update,ignore]
|
|
Assignee | |
Comment 9•13 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #8)
> JSBugMon: The testcase found in this bug no longer reproduces (tried
> revision 0e6d579045c8).
The bug has been correctly merged, thanks for monitoring.
Status: REOPENED → RESOLVED
Crash Signature: [@ js::StackFrame::isNonEvalFunctionFrame]
[@ js::ArgumentsObject::createUnexpected] → [@ js::StackFrame::isNonEvalFunctionFrame]
[@ js::ArgumentsObject::createUnexpected]
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug745360.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•