Last Comment Bug 755560 - IonMonkey: Assertion failure: isObject(), at ../../jsapi.h:509
: IonMonkey: Assertion failure: isObject(), at ../../jsapi.h:509
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: David Anderson [:dvander]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-05-15 16:07 PDT by Christian Holler (:decoder)
Modified: 2012-05-17 14:28 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (3.14 KB, patch)
2012-05-16 17:00 PDT, David Anderson [:dvander]
nicolas.b.pierron: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-05-15 16:07:10 PDT
The following testcase asserts on ionmonkey revision 50177d59c0e1 (run with --ion -n -m):


function Employee ( name, dept ) {
  this.name=name || ""
}
function WorkerBee ( name, dept, projs ) {}
var SECTION = "toString-001.js";
while ( SECTION , this) 
WorkerBee.prototype = new Employee();
Comment 1 David Anderson [:dvander] 2012-05-16 16:31:52 PDT
This is another bug masked by the OSR changes made recently. Taking.
Comment 2 David Anderson [:dvander] 2012-05-16 17:00:13 PDT
Created attachment 624601 [details] [diff] [review]
fix

Turns out this can be called in the middle of js::StackFrame construction, so thisv can be JSVAL_NULL.
Comment 3 David Anderson [:dvander] 2012-05-17 14:28:16 PDT
http://hg.mozilla.org/projects/ionmonkey/rev/a19d34d6750f

Note You need to log in before you can comment on or make changes to this bug.