Closed
Bug 465688
Opened 17 years ago
Closed 17 years ago
TM: "Assertion failure: (m != JSVAL_INT) || isInt32(*vp)" with (-0x80000000)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: dvander)
Details
(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.31 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
js> for each (let d in [-0x80000000, -0x80000000]) - -d;
Assertion failure: (m != JSVAL_INT) || isInt32(*vp), at ../jstracer.cpp:1762
|
||
Updated•17 years ago
|
Flags: blocking1.9.1+
|
Assignee | |
Updated•17 years ago
|
Assignee: general → danderson
|
|
Assignee | |
Comment 1•17 years ago
|
||
We need to check that the value won't become a double in the interpreter.
Attachment #349527 -
Flags: review?(gal)
|
||
Updated•17 years ago
|
Attachment #349527 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 2•17 years ago
|
||
Pushed fix as changeset http://hg.mozilla.org/tracemonkey/rev/41fe2911e964
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Comment 3•17 years ago
|
||
Comment on attachment 349527 [details] [diff] [review]
proposed fix
>diff -r 6d441358bc57 js/src/jstracer.cpp
>--- a/js/src/jstracer.cpp Fri Nov 21 15:31:59 2008 -0800
>+++ b/js/src/jstracer.cpp Fri Nov 21 17:04:55 2008 -0800
>@@ -5648,7 +5648,8 @@
> */
> if (isPromoteInt(a) &&
> (!JSVAL_IS_INT(v) || JSVAL_TO_INT(v) != 0) &&
>- (!JSVAL_IS_DOUBLE(v) || !JSDOUBLE_IS_NEGZERO(*JSVAL_TO_DOUBLE(v)))) {
>+ (!JSVAL_IS_DOUBLE(v) || !JSDOUBLE_IS_NEGZERO(*JSVAL_TO_DOUBLE(v))) &&
>+ -asNumber(v) == (int)-asNumber(v)) {
This is wrong if you are trying to test whether v contains an integral value that fits in a jsval -- use INT_FITS_IN_JSVAL.
/be
|
|
Assignee | |
Comment 4•17 years ago
|
||
I think it's okay if it doesn't fit into a JSVAL_INT, since we use full 32-bit integers on trace and unbox/box from doubles that fit into int32.
|
|
||
Comment 5•17 years ago
|
||
(In reply to comment #1)
> Created an attachment (id=349527) [details]
> proposed fix
>
> We need to check that the value won't become a double in the interpreter.
I read this before composing comment 3.
(In reply to comment #4)
> I think it's okay if it doesn't fit into a JSVAL_INT, since we use full 32-bit
> integers on trace and unbox/box from doubles that fit into int32.
Ok, so (double checking) did comment 1 say "in the interpreter" when it should have said "on trace"?
/be
|
||
Comment 6•17 years ago
|
||
fixed on tracemonkey, but not mozilla-central. reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [fixed-tracemonkey]
|
|
||
Comment 7•17 years ago
|
||
Checking in js1_8/regress/regress-465688.js;
/cvsroot/mozilla/js/tests/js1_8/regress/regress-465688.js,v <-- regress-465688.js
initial revision: 1.1
done
Flags: in-testsuite+
Flags: in-litmus-
|
||
Comment 8•17 years ago
|
||
|
|
||
Updated•17 years ago
|
Whiteboard: [fixed-tracemonkey] → fixed-in-tracemonkey
|
||
Comment 9•17 years ago
|
||
FIXED, per comment 8.
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
|
|
||
Updated•17 years ago
|
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•17 years ago
|
||
Keywords: fixed1.9.1
|
|
||
Comment 12•17 years ago
|
||
test included in js1_8_1/trace/trace-test.js
http://hg.mozilla.org/mozilla-central/rev/8f967a7729e2
|
|
||
Comment 13•17 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•