Assertion failure: frame_.fun()->isHeavyweight(), at vm/ScopeObject.cpp:1058

RESOLVED FIXED in mozilla24

Status

()

--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla24
x86
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:])

(Reporter)

Description

6 years ago
The following testcase asserts on mozilla-central revision b0d842380959 (run with --ion-eager):


version(0);
function y() {
  try  {
    test().split(',');
  }  catch(ex)  {  }
}
function test()
  eval("with({}) let(x=[])(function(){x})()");
y();
y();
y();
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
(Reporter)

Comment 1

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2c85e4d1d678).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/36b6a36c00bc
parent:      127345:836ed183bb5f
parent:      122574:67f2a2816651
user:        Jan de Mooij
date:        Fri Feb 22 13:37:13 2013 +0100
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, 702d2814efbf.

This iteration took 173.074 seconds to run.

Oops! We didn't test rev 67f2a2816651, a parent of the blamed revision! Let's do that now.
Rev 67f2a2816651: Found cached shell...   Testing... [Uninteresting] It didn't crash. (0.447 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.

The bug was introduced by a merge (it was not present on either parent).
I don't know which patches from each side of the merge contributed to the bug. Sorry.
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 2

5 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/f5eca934fa16
user:        Jan de Mooij
date:        Fri Jun 21 08:28:06 2013 +0200
summary:     Bug 881902 - Remove ContextStack and StackSpace. r=luke,njn

This iteration took 329.705 seconds to run.
Jan, is bug 881902 a possible fix?
Flags: needinfo?(jdemooij)
(Assignee)

Comment 4

5 years ago
(In reply to Gary Kwong [:gkw] [:nth10sd] (yes, still catching up on bugmail) from comment #3)
> Jan, is bug 881902 a possible fix?

It's possible, bug 881902 was a big rewrite/refactoring. Are the fuzzers still hitting this?
Flags: needinfo?(jdemooij) → needinfo?(choller)
(Assignee)

Updated

5 years ago
Flags: needinfo?(gary)
(Reporter)

Comment 5

5 years ago
I'm not hitting this anymore, at least nothing in the log for a few days now.
Flags: needinfo?(choller)
Nope, not seen this recently either.
Flags: needinfo?(gary)
Assuming FIXED by bug 881902.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Assignee: general → jdemooij
Depends on: 881902
Target Milestone: --- → mozilla24
You need to log in before you can comment on or make changes to this bug.