Last Comment Bug 755560 - IonMonkey: Assertion failure: isObject(), at ../../jsapi.h:509
: IonMonkey: Assertion failure: isObject(), at ../../jsapi.h:509
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
-- major (vote)
: ---
Assigned To: David Anderson [:dvander]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
Reported: 2012-05-15 16:07 PDT by Christian Holler (:decoder)
Modified: 2012-05-17 14:28 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (3.14 KB, patch)
2012-05-16 17:00 PDT, David Anderson [:dvander]
nicolas.b.pierron: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-05-15 16:07:10 PDT
The following testcase asserts on ionmonkey revision 50177d59c0e1 (run with --ion -n -m):

function Employee ( name, dept ) { || ""
function WorkerBee ( name, dept, projs ) {}
var SECTION = "toString-001.js";
while ( SECTION , this) 
WorkerBee.prototype = new Employee();
Comment 1 User image David Anderson [:dvander] 2012-05-16 16:31:52 PDT
This is another bug masked by the OSR changes made recently. Taking.
Comment 2 User image David Anderson [:dvander] 2012-05-16 17:00:13 PDT
Created attachment 624601 [details] [diff] [review]

Turns out this can be called in the middle of js::StackFrame construction, so thisv can be JSVAL_NULL.
Comment 3 User image David Anderson [:dvander] 2012-05-17 14:28:16 PDT

Note You need to log in before you can comment on or make changes to this bug.