Closed
Bug 452573
Opened 17 years ago
Closed 17 years ago
TM: various assertions with "typeof void ..."
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
413 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
p.js:
for(var j=0;j<5;++j) typeof void /x/;
q.js:
for(var j=0;j<5;++j) typeof void 1;
$ ./js -j p.js
Assertion failure: JSVAL_IS_VOID(boxed) || JSVAL_IS_BOOLEAN(boxed), at jsbuiltins.cpp:577
Trace/BPT trap
$ ./js -j q.js
Assertion failed: "(((rmask(rr) & FpRegs) != 0))" ("nanojit/Nativei386.cpp":738)
nanojit/Nativei386.cpp:738: failed assertion `0'
Abort trap
I can't reproduce the bugs by pasting, only by feeding files to the js shell.
|
Assignee | |
Comment 1•17 years ago
|
||
TraceRecorder::record_JSOP_VOID expects the JSOP_VOID case in the interpreter to push the void value (I think that's why it assigns to stackdepth 0). This isn't true, so when we end up in TraceRecorder::record_JSOP_TYPEOF, we get a LIns for some random stack slot and call TypeOfBoolean with an uninitialized value.
|
||
Updated•17 years ago
|
Attachment #335937 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 2•17 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Comment 3•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452573-01.js,v <-- regress-452573-01.js
initial revision: 1.1
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452573-02.js,v <-- regress-452573-02.js
initial revision: 1.1
http://hg.mozilla.org/mozilla-central/rev/c705a2fdffe7
Flags: in-testsuite+
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•