Closed Bug 657288 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: offset < script->length, at ./jsanalyze.h:906

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Christian Holler (:decoder)

Reporter

Description

•

13 years ago

The following testcase asserts on TI revision 693a36f402ee (run with -m -n -a),
tested on 64 bit:


new DoWhileObject;
function DoWhileObject(breakOut, breakIn, iterations, loops) {
    loops.prototype = new DoWhile;
    this.looping;
}
function DoWhile(object) {
    do {} while (object);
}

Brian Hackett [Laid off!]

Comment 1

•

13 years ago

When calling back into the interpreter, InternalInterpret (invoked by the interpoline) used JSINTERP_SAFEPOINT to skip the script prologue, but this also could cause the interpreter to fail to finish the entry frame.  This adds a JSINTERP_REJOIN mode which satisfies InternalInterpret's requirements --- the interpreter can start anywhere within the entry frame, but must finish it before returning.

http://hg.mozilla.org/projects/jaegermonkey/rev/3cd8666e409f

Status: NEW → RESOLVED

Closed: 13 years ago

Resolution: --- → FIXED

Christian Holler (:decoder)

Reporter

Comment 2

•

11 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug657288.js.

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

TI: Assertion failure: offset < script->length, at ./jsanalyze.h:906

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2