Closed
Bug 883623
Opened 11 years ago
Closed 11 years ago
Assertion failure: !val.isMagic(), at jsobj.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
5.91 KB,
text/plain
|
Details | |
|
6.34 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
(function() {
eval("\
arguments.valueOf();\
with (function(){}){};\
");
})()
asserts js debug shell on m-c changeset 36da3cb92193 without any CLI arguments at Assertion failure: !val.isMagic(), at jsobj.cpp
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4
user: Brian Hackett
date: Fri Jun 14 05:58:28 2013 -0600
summary: Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody.Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 1•11 years ago
|
||
If we aborted a syntax parse within the eval and needed to start over at some intermediate point, any free variables before that point were not used to deoptimize the calling scripts.
Assignee: general → bhackett1024
Attachment #763228 -
Flags: review?(luke)
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 2•11 years ago
|
||
Pushing ahead of review. I doubt this affects either of the remaining bug 678037 crashers, but it might and the fix is simple. https://hg.mozilla.org/integration/mozilla-inbound/rev/8a22078d93b2
|
||
Comment 3•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8a22078d93b2
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
||
Updated•11 years ago
|
Attachment #763228 -
Flags: review?(luke) → review+
You need to log in
before you can comment on or make changes to this bug.
Description
•