Closed
Bug 762450
Opened 13 years ago
Closed 13 years ago
Assertion failure: !script()->formalIsAliased(i), at vm/Stack-inl.h:250
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla16
People
(Reporter: decoder, Assigned: luke)
References
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-needed)
Attachments
(1 file, 1 obsolete file)
|
2.64 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision cf4face65451 (options -m -n -a):
function f(a, b, c) {
arguments.length = (c--) + 1;
}
f();
|
Assignee | |
Comment 1•13 years ago
|
||
Nobody expects the js_InternalInterpret!
|
||
Updated•13 years ago
|
Attachment #631124 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
Incredibly, DoIncDec is totally wrong when &v != slot. (This was only exposed with bug 659577 which added the first such use.)
Attachment #631124 -
Attachment is obsolete: true
Attachment #631151 -
Flags: review?(bhackett1024)
|
|
||
Comment 3•13 years ago
|
||
Comment on attachment 631151 [details] [diff] [review]
fix and test
Patch has unrelated changes in FinishVarIncOp
Attachment #631151 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
The changes in FinishVarIncOp is the patch in comment 1; the new patch adds the fix in DoIncDec.
|
|
Assignee | |
Comment 5•13 years ago
|
||
Target Milestone: --- → mozilla16
|
||
Comment 6•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b1e796090d2c
(Merged by Ed Morley)
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 8•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug762450.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•