Closed
Bug 844364
Opened 11 years ago
Closed 11 years ago
IonMonkey: "Assertion failure: !frame.isEvalFrame(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
4.81 KB,
text/plain
|
Details | |
2.94 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
function f() { eval("this") } f() f() asserts js debug shell on m-c changeset 08a034e1d43a without any CLI arguments at Assertion failure: !frame.isEvalFrame(),
Reporter | ||
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 122546:0ded3af9b2d7 user: Brian Hackett date: Thu Feb 21 06:56:54 2013 -0700 summary: Bug 743394 - Ion compile JSOP_EVAL, r=jandem. Brian, is bug 743394 a likely regressor?
Flags: needinfo?(bhackett1024)
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update]
Comment 2•11 years ago
|
||
Fix for this and bug 844459, which is related. This is a bogus assert, bug 844459 is due to an inverted test that could cause an eval to see a primitive this values.
Attachment #717542 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Comment 3•11 years ago
|
||
Comment on attachment 717542 [details] [diff] [review] patch Review of attachment 717542 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonBuilder.cpp @@ +4484,5 @@ > if (!info().fun()) > return abort("Direct eval in global code"); > > types::StackTypeSet *thisTypes = oracle->thisTypeSet(script()); > + if (thisTypes) { Nit: either JS_ASSERT(thisTypes); and remove the |if|, or add an "else" with "return abort(..);"
Attachment #717542 -
Flags: review?(jdemooij) → review+
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0f9bcf85f0b7
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in
before you can comment on or make changes to this bug.
Description
•