Closed Bug 593559 Opened 14 years ago Closed 14 years ago

"Assertion failure: !argv[-1].isMagic()" with iter.throw

Tracking

()

Status:

RESOLVED FIXED

Tracking Flags:

Tracking

Status

blocking2.0

---

betaN+

People

(Reporter: jruderman, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

maybe 14 years ago Luke Wagner [:luke] (deleted), patch	brendan : review+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

14 years ago

Testcase var iter = (function () {yield})(); var t = iter.throw; new t; Result Assertion failure: !argv[-1].isMagic(), at jsinterp.cpp:301 The first bad revision is changeset: 52720:66c8ad02543b user: Luke Wagner <lw@mozilla.com> date: Mon Aug 16 12:35:04 2010 -0700 summary: Bug 581263 - remove slow natives (r=waldo,mrbkap)

Luke Wagner [:luke]

Assignee

Comment 1

•

14 years ago

This predates bug 581263: JSFUN_CONSTRUCTOR (originally, JSFUN_FAST_CONSTRUCTOR) has the same value as JSPROP_READONLY. Hence, generator_throw is being interpreted as a constructor when it only wants to be a readonly property. A simple fix is to just use the recently-vacated JSFUN_FAST_NATIVE bit for JSFUN_CONSTRUCTOR, but I get the feeling this was supposed to work somehow... is something else amiss?

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Updated

•

14 years ago

blocking2.0: --- → ?

Luke Wagner [:luke]

Assignee

Comment 2

•

14 years ago

Attached patch maybe (deleted) — Details — Splinter Review

Assuming the answer to comment 1 is "this shouldn't have worked ever", the patch chooses a new bit for JSFUN_CONSTRUCTOR.

Assignee: general → lw

Status: NEW → ASSIGNED

Attachment #487144 - Flags: review?(brendan)

Robert Sayre

Updated

•

14 years ago

blocking2.0: ? → betaN+

Brendan Eich [:brendan]

Comment 3

•

14 years ago

Comment on attachment 487144 [details] [diff] [review] maybe Cool, I need this patch! /be

Attachment #487144 - Flags: review?(brendan) → review+

Luke Wagner [:luke]

Assignee

Comment 4

•

14 years ago

http://hg.mozilla.org/tracemonkey/rev/279e8fdbc346

Luke Wagner [:luke]

Assignee

Updated

•

14 years ago

Whiteboard: fixed-in-tracemonkey

Robert Sayre

Comment 5

•

14 years ago

http://hg.mozilla.org/mozilla-central/rev/279e8fdbc346

Status: ASSIGNED → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Comment 6

•

12 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug593559.js.

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

"Assertion failure: !argv[-1].isMagic()" with iter.throw

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: jruderman, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Updated

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type