"Assertion failure: flags_ & HAS_ARGS_OBJ,"

RESOLVED FIXED in mozilla16

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla16
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 639405 [details]
stack

a = function() {
  b = newGlobal()
};
c = [0, 0]
c.sort(a)
function d() {
  yield arguments[4]
}
b.iterate = d
f = Proxy.create(b)
e = Iterator(f, true)
for (p in f) {
  e.next()
}

asserts js debug shell on m-c changeset e0f64c714814 without any CLI arguments at Assertion failure: flags_ & HAS_ARGS_OBJ,

Valgrind does not indicate anything bad on opt.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   97976:d4ac6ac2e618
user:        Luke Wagner
date:        Thu Jun 28 22:50:15 2012 -0700
summary:     Bug 767667 - fix getelem on optimized arguments (r=bhackett)
(Assignee)

Comment 1

5 years ago
Created attachment 639473 [details] [diff] [review]
patch and test

Oh duh, generators can be suspended when argumentsOptimizationFailed.  The patch just disables the arguments optimization for generators; fixing it would involve hunting down all generators in the heap.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #639473 - Flags: review?(bhackett1024)
Attachment #639473 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 2

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/007003bb82c9
Target Milestone: --- → mozilla16
https://hg.mozilla.org/mozilla-central/rev/007003bb82c9
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug771242.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.