Closed Bug 454981 Opened 17 years ago Closed 17 years ago

TM: assertion of "size_t(p - cx->fp->slots) < cx->fp->script->nslots"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: m_kato, Assigned: m_kato)

Details

Attachments

(2 files)

patch v1
906 bytes, patch
dvander
: review-
Details | Diff | Splinter Review
patch v2
542 bytes, patch
m_kato
: review+
Details | Diff | Splinter Review
Attached patch patch v1Splinter Review
On x86-64, the following script causes assertion. js> function test() { function f0() { return arguments[0]; } for (var i = 0; i < 4; i++) f0('a'); } test(); Global shape mismatch (124 vs. 0) in RecordTree, flushing cache. Flushing cache. recording starting from typein:1@14 trace import vp=0x82e870 name=$callee0 type=object flags=0 import vp=0x82e878 name=$this0 type=object flags=0 import vp=0x82e960 name=$test.f0 type=object flags=0 import vp=0x82e968 name=$test.i type=int flags=0 state = param rdi param1 = param rsi sp = ldq state[0] rp = ldq state[8] cx = ldq state[24] gp = ldq state[16] eos = ldq state[32] eor = ldq state[40] $callee0 = ldq sp[-32] $this0 = ldq sp[-24] $test.f0 = ldq sp[-16] ld1 = ld sp[-8] $test.i = i2f ld1 sp[0] = $test.f0 sp[8] = 0 sp[16] = ATOM_TO_STRING(atom) guard(shapeless callee) = eq $test.f0, JSVAL_TO_OBJECT(callee) xf1: xf guard(shapeless callee) -> 0x82e784 sp+24 rp+0 EnterFrame f0, callDepth=1 Assertion failure: size_t(p - cx->fp->slots) < cx->fp->script->nslots, at jstracer.cpp:936 Aborted
Attachment #338292 - Flags: review?(danderson)
Assignee: general → m_kato
Comment on attachment 338292 [details] [diff] [review] patch v1 This is definitely a valid bug. We don't want to abort the trace though, we're supposed to be filling missing parameters with JSVAL_VOID (which works on x86).
Attachment #338292 - Flags: review?(danderson) → review-
Attached patch patch v2Splinter Review
It looks like (fp->fun->nargs - fp->argc) wasn't being sign-extended, so the pointer math became (ptr + 0x00000000FFFFFFFF). Maybe the math being in a parenthetical expression caused this. Attached a new patch.
Attachment #338697 - Flags: review?(m_kato)
Attachment #338697 - Flags: review?(m_kato) → review+
Comment on attachment 338697 [details] [diff] [review] patch v2 Thanks, it works fine.
Pushed fix to tracemonkey branch as revision http://hg.mozilla.org/tracemonkey/rev/93cc00a53bd8
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-454981.js,v <-- regress-454981.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/b7070ea346fc
Flags: in-testsuite+
Flags: in-litmus-
note to self: js1_8_1/trace/trace-test.js also exhibits this assertion on m-c.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: