Closed Bug 451248 Opened 11 years ago Closed 11 years ago

TM: assert in browser

Categories

(Core :: JavaScript Engine, defect)

Other
Linux
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: dvander, Assigned: gal)

References

Details

Assertion failure: (gslots[n]) < (uint32)(globalObj)->dslots[-1], at /home/dvander/tracemonkey/js/src/jstracer.cpp:603

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0xb7f12668 "(gslots[n]) < (uint32)(globalObj)->dslots[-1]",
    file=0xb7f11f68 "/home/dvander/tracemonkey/js/src/jstracer.cpp", ln=603) at /home/dvander/tracemonkey/js/src/jsutil.cpp:63
63          abort();
(gdb)
(gdb)
(gdb)
(gdb)
(gdb) up
#1  0xb7ea1e63 in TypeMap::captureGlobalTypes (this=0xbfffcfc8, cx=0xb0125ec0, slots=@0xb6bb7660)
    at /home/dvander/tracemonkey/js/src/jstracer.cpp:598
598         FORALL_GLOBAL_SLOTS(cx, ngslots, gslots,
(gdb) print vpname
$1 = 0xb7f1265f "global"
(gdb) print vpnum
$2 = 3
(gdb) bt
#0  JS_Assert (s=0xb7f12668 "(gslots[n]) < (uint32)(globalObj)->dslots[-1]",
    file=0xb7f11f68 "/home/dvander/tracemonkey/js/src/jstracer.cpp", ln=603) at /home/dvander/tracemonkey/js/src/jsutil.cpp:63
#1  0xb7ea1e63 in TypeMap::captureGlobalTypes (this=0xbfffcfc8, cx=0xb0125ec0, slots=@0xb6bb7660)
    at /home/dvander/tracemonkey/js/src/jstracer.cpp:598
#2  0xb7eb3925 in js_RecordTree (cx=0xb0125ec0, tm=0xb6bc8064, f=0xacea03e0) at /home/dvander/tracemonkey/js/src/jstracer.cpp:1672
#3  0xb7eb3dff in js_LoopEdge (cx=0xb0125ec0, oldpc=0xad1a5689 "\b��V", inlineCallCount=@0xbfffddbc)
    at /home/dvander/tracemonkey/js/src/jstracer.cpp:2051
#4  0xb7df7113 in js_Interpret (cx=0xb0125ec0) at /home/dvander/tracemonkey/js/src/jsinterp.cpp:3653
#5  0xb7e1f817 in js_Execute (cx=0xb0125ec0, chain=0xb0396560, script=0xacc2e800, down=0x0, flags=0, result=0x0)
    at /home/dvander/tracemonkey/js/src/jsinterp.cpp:1545
I avoid flushing the list of global slots when the shape changes, but it seems that dslots can shrink in lengths, so flush the list every time the shape of the global object changes. Testing again.

http://hg.mozilla.org/index.cgi/tracemonkey/rev/a8f3d5e798d8
Assignee: general → gal
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Flags: in-testsuite-
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.