Closed
Bug 281487
Opened 20 years ago
Closed 19 years ago
on JSOP_ARGDEC with debug: Assertion failure: map->vector && i < map->length
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta2
People
(Reporter: vogge, Assigned: brendan)
Details
(Keywords: js1.5, Whiteboard: [have patch])
Attachments
(1 file)
|
2.02 KB,
patch
|
shaver
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
If you start the jsshell and enter:
tracing(true);
var a = function (i,j,k) {
x = j--;
};
a(1,2,3);
you get an assertion on JSOP_ARGDEC:
js> tracing(true);
1: 00008: popv
inputs: tracing(true) @ 1
stack:
js> var a = function (i,j,k) {
x = j--;
};
2: 00000: defvar "a"
stack:
2: 00003: bindname "a"
output: a @ 1
stack: ({a:undefined})
2: 00006: anonfunobj (function (i, j, k) {x = j--;})
output:
function (i, j, k) {
x = j--;
}
@ 2
stack: ({a:undefined}) (function (i, j, k) {x = j--;})
2: 00009: setname "a"
inputs: a,
function (i, j, k) {
x = j--;
}
@ 2
output: a @ 1
stack: (function (i, j, k) {x = j--;})
2: 00012: pop
inputs: a @ 1
stack:
js> a(1,2,3);
5: 00000: name "a"
output: a @ 1
stack: (function (i, j, k) {x = j--;})
5: 00003: pushobj
output: [object global] @ 2
stack: (function (i, j, k) {x = j--;}) ({a:(function (i, j, k) {x = j--;})})
5: 00004: one
output: 1 @ 3
stack: (function (i, j, k) {x = j--;}) ({a:(function (i, j, k) {x = j--;})}) 1
5: 00005: uint16 2
output: 2 @ 4
stack: (function (i, j, k) {x = j--;}) ({a:(function (i, j, k) {x = j--;})}) 1
2
5: 00008: uint16 3
output: 3 @ 5
stack: (function (i, j, k) {x = j--;}) ({a:(function (i, j, k) {x = j--;})}) 1
2 3
5: 00011: call 3
@ 5
3: 00000: bindname "x"
output: x @ 1
stack: ({a:(function (i, j, k) {x = j--;})})
3: 00003: argdec 1
Assertion failure: map->vector && i < map->length, at jsatom.c:871
Reproducible: Always
Steps to Reproduce:
1. start jsshell.exe
2. activate tracing
3. call a function that decreases an argument
Actual Results:
Assertion with a popup-box to send the errorinformation to ms ;-))
Expected Results:
continue without assertion
It seems to happen when decompiling in jsinterp.c(5261):
str = js_DecompileValueGenerator(cx, n, sp[n], NULL);
and then js_GetAtom in jsatom.c
|
Assignee | |
Comment 1•20 years ago
|
||
More tracing badness? /be
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta2
|
|
Assignee | |
Comment 2•20 years ago
|
||
js_DecompileValueGenerator failed to adapt long ago when JSOP_GETARG, etc., were added to jsopcode.tbl. /be
Attachment #174115 -
Flags: review?(shaver)
|
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [have patch]
Comment on attachment 174115 [details] [diff] [review] fix God, I love the decompiler. r=shaver
Attachment #174115 -
Flags: review?(shaver) → review+
|
|
Assignee | |
Comment 4•19 years ago
|
||
Fixed. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 5•19 years ago
|
||
Checking in regress-281487.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-281487.js,v <-- regress-281487.js initial revision: 1.1 done
Flags: testcase+
|
|
||
Comment 6•18 years ago
|
||
verified fixed 1.8.x and trunk. Note comment in test <quote>This test requires a DEBUG build and will cause a false failure to be reported by jsDriver.pl since the tracing output will contain the string FAILED. This test only fails if it causes a crash.</quote>
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•