Closed Bug 455969 Opened 16 years ago Closed 16 years ago

TM: "Assertion failure: v_ins->isCall() && v_ins->fid() == F_FastNewArray"

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 457336
Milestone:
mozilla1.9.1b1

People

(Reporter: jruderman, Assigned: gal)

Details

(Keywords: assertion)

Attachments

(1 file)

stack trace with locals
7.51 KB, text/plain
Details 
Assertion failure: v_ins->isCall() && v_ins->fid() == F_FastNewArray, at jstracer.cpp:5414

0   JS_Assert + 63
1   TraceRecorder::record_JSOP_ENDINIT() + 261
2   js_Interpret + 175622
3   js_Execute + 813
4   JS_ExecuteScript + 54
5   Process(JSContext*, JSObject*, char*, int) + 578
6   ProcessArgs(JSContext*, JSObject*, char**, int) + 2158
7   main + 636
8   start + 54

I don't have a testcase, but Andreas thinks Brendan might be able to figure out the bug without one.
I ran jsfunfuzz overnight with "ulimit -c unlimited" so I'd get a core dump for each crash.  It hit this assertion once before running out of disk space ;)  I was then able to run "gdb ./js core.836" to get the state of the crashing process into the debugger.

The core file is 210MB, so I'll keep it around for a few days.
Jesse, can you poke at the core for me on IRC?

/be
This is a bug in the layering of TraceRecorder::record_JSOP_INITELEM on top of TraceRecorder::record_JSOP_SETPROP.

/be
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b1
Assignee: general → brendan
The jsfunfuzz.js line at which the assertion botches is

function(dr) { return cat([makeId(dr)]); }

/be
Argh. This bit a js test -- shoulda fixed already.

/be
Assignee: brendan → gal
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: