Closed Bug 771242 Opened 13 years ago Closed 13 years ago

"Assertion failure: flags_ & HAS_ARGS_OBJ,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)

Attachments

(2 files)

stack
4.28 KB, text/plain
Details
patch and test
2.42 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Attached file stack
a = function() { b = newGlobal() }; c = [0, 0] c.sort(a) function d() { yield arguments[4] } b.iterate = d f = Proxy.create(b) e = Iterator(f, true) for (p in f) { e.next() } asserts js debug shell on m-c changeset e0f64c714814 without any CLI arguments at Assertion failure: flags_ & HAS_ARGS_OBJ, Valgrind does not indicate anything bad on opt. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 97976:d4ac6ac2e618 user: Luke Wagner date: Thu Jun 28 22:50:15 2012 -0700 summary: Bug 767667 - fix getelem on optimized arguments (r=bhackett)
Attached patch patch and testSplinter Review
Oh duh, generators can be suspended when argumentsOptimizationFailed. The patch just disables the arguments optimization for generators; fixing it would involve hunting down all generators in the heap.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #639473 - Flags: review?(bhackett1024)
Attachment #639473 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/007003bb82c9
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug771242.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: